Jump to content

Repeated userinit.exe find now Generic services


tired

Recommended Posts

Malwarebytes

Last week malwarebytes (mwb) would find the following problem and it would find it after each reboot or power cycle after which I ran mwb.

HKEY_LOCAL_MACHINE\System\current control set\services\userinit

That problem went away to be replaced by all sorts of viruses and malware getting into my machine. Today it is reliably the TR\Dropper.gen.

Also, I am getting the following pop up window called

Attach.zip

Link to post
Share on other sites

  • Replies 50
  • Created
  • Last Reply

Top Posters In This Topic

Welcome to Malwarebytes!

We'll use another set of tools then

Step 1.

OTL:

Download OTL to your Desktop

  • Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
  • When the window appears, tick the box beside Scan All Users at the top.
  • Underneath Output at the top set it to Standard Output.
  • Underneath the option Extra Registry set it to Use SafeList.
  • Underneath the option File Scans tick the boxes beside Use Company Name WhiteList, Skip Microsoft Files, LOP Check, Purity Check.
  • Download the following file scan.txt to your Desktop. You may need to right click on it and select "Save"
  • Double click inside the Custom Scan box at the bottom
  • A window will appear saying "Click Ok to load a custom scan from a file or Cancel to cancel"
  • Click the Ok button and navigate to the file scan.txt which we just saved to your desktop
  • Select scan.txt and click Open. Writing will now appear under the Custom Scan box
  • Click the Run Scan button. The scan wont take long.
    • When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
    • Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post them if you need to start a new topic.

Step 2.

Rootkit Unhooker:

  • Please Download Rootkit Unhooker Save it to your desktop.
  • Now double-click on RKUnhookerLE.exe to run it.
  • Click the Report tab, then click Scan.
  • Check (Tick) Drivers, Stealth. Uncheck the rest. then Click OK.
  • Wait till the scanner has finished and then click File, Save Report.
  • Save the report somewhere where you can find it. Click Close.

Copy the entire contents of the report and paste it in a reply here.

Note** you may get the following warning, just click OK and continue.

"Rootkit Unhooker has detected a parasite inside itself!

It is recommended to remove parasite, okay?"

Step 3.

Things I would like to see in your reply:

  • The content of OTL.txt and Extras.txt from step 1.
  • The content of the report from Rootkit Unhooker in step 2.

Link to post
Share on other sites

included are the requested files below: otl.txt, extras.txt, and report

OTL logfile created on: 9/26/2010 3:09:35 PM - Run 1

OTL by OldTimer - Version 3.2.14.1 Folder = C:\Documents and Settings\Richard\Desktop

Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation

Internet Explorer (Version = 8.0.6001.18702)

Locale: 00000409 | Country: United States | Language: enu | Date Format: M/d/yyyy

2.00 Gb Total Physical Memory | 2.00 Gb Available Physical Memory | 77.00% Memory free

4.00 Gb Paging File | 3.00 Gb Available in Paging File | 91.00% Paging File free

Paging file location(s): c:\pagefile.sys 2046 4092 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files

Drive C: | 149.05 Gb Total Space | 131.02 Gb Free Space | 87.91% Space Free | Partition Type: NTFS

D: Drive not present or media not loaded

E: Drive not present or media not loaded

F: Drive not present or media not loaded

G: Drive not present or media not loaded

H: Drive not present or media not loaded

I: Drive not present or media not loaded

Computer Name: X9R2D1

Current User Name: Richard

Logged in as Administrator.

Current Boot Mode: Normal

Scan Mode: All users

Company Name Whitelist: On

Skip Microsoft Files: On

File Age = 30 Days

Output = Standard

========== Processes (SafeList) ==========

PRC - [2010/09/26 15:03:28 | 000,575,488 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Richard\Desktop\OTL.exe

PRC - [2010/04/22 09:31:17 | 000,267,432 | ---- | M] (Avira GmbH) -- C:\Program Files\Avira\AntiVir Desktop\avguard.exe

PRC - [2010/03/02 10:28:31 | 000,282,792 | ---- | M] (Avira GmbH) -- C:\Program Files\Avira\AntiVir Desktop\avgnt.exe

PRC - [2010/02/24 09:28:09 | 000,135,336 | ---- | M] (Avira GmbH) -- C:\Program Files\Avira\AntiVir Desktop\sched.exe

PRC - [2010/01/14 21:11:00 | 000,076,968 | ---- | M] (Avira GmbH) -- C:\Program Files\Avira\AntiVir Desktop\avshadow.exe

PRC - [2008/04/14 05:42:20 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe

PRC - [2007/04/20 09:09:58 | 001,945,712 | ---- | M] (Acronis) -- C:\Program Files\Maxtor\MaxBlast\TimounterMonitor.exe

PRC - [2007/04/20 09:03:08 | 000,149,024 | ---- | M] (Acronis) -- C:\Program Files\Common Files\Maxtor\Schedule2\schedhlp.exe

PRC - [2007/04/20 09:03:02 | 000,411,168 | ---- | M] (Acronis) -- C:\Program Files\Common Files\Maxtor\Schedule2\schedul2.exe

PRC - [2007/04/20 08:59:30 | 001,169,720 | ---- | M] (Maxtor) -- C:\Program Files\Maxtor\MaxBlast\MaxBlastMonitor.exe

PRC - [2007/02/12 09:05:00 | 001,121,016 | ---- | M] (Roxio) -- C:\Program Files\Roxio\Drag-to-Disc\DrgToDsc.exe

PRC - [2007/01/17 03:23:38 | 000,109,304 | ---- | M] () -- C:\Program Files\Roxio\CinePlayer\DMXLauncher.exe

PRC - [2006/11/16 14:42:52 | 000,577,536 | R--- | M] (Realtek Semiconductor Corp.) -- C:\WINDOWS\SOUNDMAN.EXE

========== Modules (SafeList) ==========

MOD - [2010/09/26 15:03:28 | 000,575,488 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Richard\Desktop\OTL.exe

MOD - [2008/04/14 05:40:22 | 000,110,592 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\SYSTEM32\msscript.ocx

========== Win32 Services (SafeList) ==========

SRV - File not found [Auto | Stopped] -- C:\WINDOWS\System32\adsnwj.exe -- (SysmonLogNetlogon)

SRV - File not found [Auto | Stopped] -- C:\WINDOWS\System32\2052o.exe -- (RoxMediaDB9dmserver)

SRV - File not found [On_Demand | Stopped] -- C:\Program Files\iPod\bin\iPodService.exe -- (iPod Service)

SRV - File not found [Auto | Stopped] -- C:\DOCUME~1\Richard\LOCALS~1\Temp\AVSETUP_4a41a030\basic\avupgsvc.exe -- (AntiVirUpgradeService)

SRV - [2010/04/22 09:31:17 | 000,267,432 | ---- | M] (Avira GmbH) [Auto | Running] -- C:\Program Files\Avira\AntiVir Desktop\avguard.exe -- (AntiVirService)

SRV - [2010/02/24 09:28:09 | 000,135,336 | ---- | M] (Avira GmbH) [Auto | Running] -- C:\Program Files\Avira\AntiVir Desktop\sched.exe -- (AntiVirSchedulerService)

SRV - [2008/04/14 05:42:40 | 000,050,176 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\WINDOWS\SYSTEM32\utilman.exe -- (UtilMan)

SRV - [2007/04/20 09:03:02 | 000,411,168 | ---- | M] (Acronis) [Auto | Running] -- C:\Program Files\Common Files\Maxtor\Schedule2\schedul2.exe -- (AcrSch2Svc)

========== Driver Services (SafeList) ==========

DRV - File not found [Kernel | On_Demand | Stopped] -- C:\PROGRA~1\COMMON~1\Motive\MRENDIS5.SYS -- (MRENDIS5)

DRV - File not found [Kernel | On_Demand | Stopped] -- C:\PROGRA~1\COMMON~1\Motive\MREMPR5.SYS -- (MREMPR5)

DRV - File not found [Kernel | On_Demand | Stopped] -- D:\INSTALL\GMSIPCI.SYS -- (GMSIPCI)

DRV - File not found [Kernel | On_Demand | Stopped] -- C:\WINDOWS\System32\DRIVERS\fetnd5.sys -- (FETNDIS)

DRV - File not found [Kernel | On_Demand | Stopped] -- C:\DOCUME~1\Richard\LOCALS~1\Temp\~Af26490\Upgrade\atidgllk.sys -- (atidgllk)

DRV - [2010/08/08 21:16:14 | 000,020,096 | ---- | M] (Printing Communications Assoc., Inc. (PCAUSA)) [Kernel | On_Demand | Stopped] -- C:\Program Files\Common Files\Motive\MRESP50.sys -- (MRESP50)

DRV - [2010/08/08 21:15:52 | 000,021,248 | ---- | M] (Printing Communications Assoc., Inc. (PCAUSA)) [Kernel | On_Demand | Stopped] -- C:\Program Files\Common Files\Motive\MREMP50.sys -- (MREMP50)

DRV - [2010/03/01 09:05:24 | 000,124,784 | ---- | M] (Avira GmbH) [Kernel | System | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\avipbb.sys -- (avipbb)

DRV - [2010/02/16 13:24:01 | 000,060,936 | ---- | M] (Avira GmbH) [File_System | Auto | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\avgntflt.sys -- (avgntflt)

DRV - [2009/06/23 15:49:29 | 000,020,480 | ---- | M] (NT Kernel Resources) [Kernel | On_Demand | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\ndisrd.sys -- (ndisrd)

DRV - [2009/05/11 11:49:19 | 000,011,608 | ---- | M] (Avira GmbH) [Kernel | System | Running] -- C:\Program Files\Avira\AntiVir Desktop\avgio.sys -- (avgio)

DRV - [2009/05/11 09:12:49 | 000,028,520 | ---- | M] (Avira GmbH) [Kernel | System | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\ssmdrv.sys -- (ssmdrv)

DRV - [2008/04/14 01:15:14 | 000,060,032 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\SYSTEM32\DRIVERS\usbaudio.sys -- (usbaudio) USB Audio Driver (WDM)

DRV - [2008/02/15 18:50:28 | 000,392,320 | ---- | M] (Acronis) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\timntr.sys -- (timounter)

DRV - [2008/02/15 18:50:28 | 000,032,768 | ---- | M] (Acronis) [File_System | Auto | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\tifsfilt.sys -- (tifsfilter)

DRV - [2008/02/15 18:50:24 | 000,120,992 | ---- | M] (Acronis) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\snapman.sys -- (snapman)

DRV - [2007/09/28 20:05:58 | 002,456,064 | ---- | M] (ATI Technologies Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\ati2mtag.sys -- (ati2mtag)

DRV - [2007/02/09 12:34:16 | 000,051,768 | ---- | M] (Roxio) [File_System | Auto | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\DRVNDDM.SYS -- (DRVNDDM)

DRV - [2007/02/08 20:05:30 | 000,028,120 | ---- | M] (Roxio) [File_System | System | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\DLARTL_M.SYS -- (DLARTL_M)

DRV - [2007/02/08 20:05:30 | 000,012,856 | ---- | M] (Roxio) [File_System | System | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\DLACDBHM.SYS -- (DLACDBHM)

DRV - [2007/01/10 08:19:42 | 000,099,848 | ---- | M] (Sonic Solutions) [Kernel | Boot | Running] -- C:\WINDOWS\system32\drivers\drvmcdb.sys -- (DRVMCDB)

DRV - [2006/12/28 23:48:06 | 004,026,112 | R--- | M] (Realtek Semiconductor Corp.) [Kernel | On_Demand | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\ALCXWDM.SYS -- (ALCXWDM) Service for Realtek AC97 Audio (WDM)

DRV - [2006/12/13 12:19:16 | 000,050,688 | ---- | M] (Sonic Solutions) [File_System | Disabled | Stopped] -- C:\WINDOWS\SYSTEM32\DRIVERS\RxFilter.sys -- (RxFilter)

DRV - [2006/11/01 08:59:36 | 000,009,400 | ---- | M] (Roxio) [File_System | Auto | Running] -- C:\WINDOWS\SYSTEM32\DLA\DLADResM.SYS -- (DLADResM)

DRV - [2006/11/01 08:59:10 | 000,094,648 | ---- | M] (Roxio) [File_System | Auto | Running] -- C:\WINDOWS\SYSTEM32\DLA\DLAUDFAM.SYS -- (DLAUDFAM)

DRV - [2006/11/01 08:59:10 | 000,035,064 | ---- | M] (Roxio) [File_System | Auto | Running] -- C:\WINDOWS\SYSTEM32\DLA\DLABMFSM.SYS -- (DLABMFSM)

DRV - [2006/11/01 08:59:08 | 000,098,104 | ---- | M] (Roxio) [File_System | Auto | Running] -- C:\WINDOWS\SYSTEM32\DLA\DLAUDF_M.SYS -- (DLAUDF_M)

DRV - [2006/11/01 08:59:06 | 000,026,744 | ---- | M] (Roxio) [File_System | Auto | Running] -- C:\WINDOWS\SYSTEM32\DLA\DLAOPIOM.SYS -- (DLAOPIOM)

DRV - [2006/11/01 08:59:04 | 000,032,472 | ---- | M] (Roxio) [File_System | Auto | Running] -- C:\WINDOWS\SYSTEM32\DLA\DLABOIOM.SYS -- (DLABOIOM)

DRV - [2006/11/01 08:59:02 | 000,104,760 | ---- | M] (Roxio) [File_System | Auto | Running] -- C:\WINDOWS\SYSTEM32\DLA\DLAIFS_M.SYS -- (DLAIFS_M)

DRV - [2006/11/01 08:59:02 | 000,014,520 | ---- | M] (Roxio) [File_System | Auto | Running] -- C:\WINDOWS\SYSTEM32\DLA\DLAPoolM.SYS -- (DLAPoolM)

DRV - [2006/08/07 01:39:24 | 000,018,944 | R--- | M] (NVIDIA Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\nvnetbus.sys -- (nvnetbus)

DRV - [2006/08/07 01:39:22 | 000,052,736 | R--- | M] (NVIDIA Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\NVENETFD.sys -- (NVENETFD)

DRV - [2004/08/03 22:29:56 | 001,897,408 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\SYSTEM32\DRIVERS\nv4_mini.sys -- (nv)

DRV - [2003/06/19 05:05:04 | 000,049,776 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\SYSTEM32\DRIVERS\usbhub20.sys -- (usbhub20)

DRV - [2002/08/30 05:58:32 | 000,026,921 | R--- | M] (Intel Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\SYSTEM32\DRIVERS\IntelC53.sys -- (IntelC53)

DRV - [2002/08/30 05:58:04 | 002,166,454 | R--- | M] (Intel Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\SYSTEM32\DRIVERS\IntelC51.sys -- (IntelC51)

DRV - [2002/08/30 05:49:48 | 000,447,921 | R--- | M] (Intel Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\SYSTEM32\DRIVERS\IntelC52.sys -- (IntelC52) Intel®

DRV - [2001/08/17 13:57:38 | 000,016,128 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\SYSTEM32\DRIVERS\MODEMCSA.sys -- (MODEMCSA)

========== Standard Registry (SafeList) ==========

========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://my.netzero.net/s/search?r=minisearch

IE - HKU\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm

IE - HKU\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://my.netzero.net/s/search?r=minisearch

IE - HKU\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.msn.com/

IE - HKU\.DEFAULT\..\URLSearchHook: {37D2CDBF-2AF4-44AA-8113-BD0D2DA3C2B8} - Reg Error: Key error. File not found

IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm

IE - HKU\S-1-5-18\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://my.netzero.net/s/search?r=minisearch

IE - HKU\S-1-5-18\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.msn.com/

IE - HKU\S-1-5-18\..\URLSearchHook: {37D2CDBF-2AF4-44AA-8113-BD0D2DA3C2B8} - Reg Error: Key error. File not found

IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-19\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm

IE - HKU\S-1-5-19\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://my.netzero.net/s/search?r=minisearch

IE - HKU\S-1-5-19\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.msn.com/

IE - HKU\S-1-5-19\..\URLSearchHook: {37D2CDBF-2AF4-44AA-8113-BD0D2DA3C2B8} - Reg Error: Key error. File not found

IE - HKU\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-20\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm

IE - HKU\S-1-5-20\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://my.netzero.net/s/search?r=minisearch

IE - HKU\S-1-5-20\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.msn.com/

IE - HKU\S-1-5-20\..\URLSearchHook: {37D2CDBF-2AF4-44AA-8113-BD0D2DA3C2B8} - Reg Error: Key error. File not found

IE - HKU\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-21-776561741-746137067-839522115-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://my.netzero.net/s/search?r=minisearch

IE - HKU\S-1-5-21-776561741-746137067-839522115-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/

IE - HKU\S-1-5-21-776561741-746137067-839522115-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = http://www.msn.com/

IE - HKU\S-1-5-21-776561741-746137067-839522115-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = en-us

IE - HKU\S-1-5-21-776561741-746137067-839522115-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = 62 F6 31 65 EF 30 CB 01 [binary data]

IE - HKU\S-1-5-21-776561741-746137067-839522115-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

FF - HKLM\software\mozilla\Firefox\extensions\\{AA7F9527-EFF8-42AB-8C9F-8F795EEEA453}: C:\Documents and Settings\Richard\Local Settings\Application Data\{AA7F9527-EFF8-42AB-8C9F-8F795EEEA453} [2010/07/09 18:56:48 | 000,000,000 | ---D | M]

FF - HKLM\software\mozilla\Firefox\extensions\\{A7C70835-6D47-4400-A403-BEE1E7B7DEE9}: C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\{A7C70835-6D47-4400-A403-BEE1E7B7DEE9}\ [2010/02/14 12:00:22 | 000,000,000 | ---D | M]

[2010/09/16 06:33:38 | 000,002,075 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\google_search.xml

O1 HOSTS File: ([2010/07/30 20:46:28 | 000,000,734 | ---- | M]) - C:\WINDOWS\SYSTEM32\DRIVERS\etc\hosts

O1 - Hosts: 127.0.0.1 localhost

O3 - HKLM\..\Toolbar: (Easy-WebPrint) - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll ()

O3 - HKLM\..\Toolbar: (Yahoo! Toolbar) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (Yahoo! Inc.)

O3 - HKLM\..\Toolbar: (no name) - {F5735C15-1FB2-41FE-BA12-242757E69DDE} - No CLSID value found.

O3 - HKLM\..\Toolbar: (no name) - Locked - No CLSID value found.

O3 - HKU\.DEFAULT\..\Toolbar\WebBrowser: (Radio) - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM32\msdxm.ocx ()

O3 - HKU\S-1-5-18\..\Toolbar\WebBrowser: (Radio) - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM32\msdxm.ocx ()

O3 - HKU\S-1-5-19\..\Toolbar\WebBrowser: (Radio) - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM32\msdxm.ocx ()

O3 - HKU\S-1-5-20\..\Toolbar\WebBrowser: (Radio) - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM32\msdxm.ocx ()

O3 - HKU\S-1-5-21-776561741-746137067-839522115-1000\..\Toolbar\WebBrowser: (Radio) - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM32\msdxm.ocx ()

O3 - HKU\S-1-5-21-776561741-746137067-839522115-1000\..\Toolbar\WebBrowser: (Yahoo! Toolbar) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (Yahoo! Inc.)

O4 - HKLM..\Run: [Acronis Scheduler2 Service] C:\Program Files\Common Files\Maxtor\Schedule2\schedhlp.exe (Acronis)

O4 - HKLM..\Run: [AcronisTimounterMonitor] C:\Program Files\Maxtor\MaxBlast\TimounterMonitor.exe (Acronis)

O4 - HKLM..\Run: [Adobe Reader Speed Launcher] C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe (Adobe Systems Incorporated)

O4 - HKLM..\Run: [avgnt] C:\Program Files\Avira\AntiVir Desktop\avgnt.exe (Avira GmbH)

O4 - HKLM..\Run: [DMXLauncher] C:\Program Files\Roxio\CinePlayer\DMXLauncher.exe ()

O4 - HKLM..\Run: [MaxBlastMonitor.exe] C:\Program Files\Maxtor\MaxBlast\MaxBlastMonitor.exe (Maxtor)

O4 - HKLM..\Run: [RoxioDragToDisc] C:\Program Files\Roxio\Drag-to-Disc\DrgToDsc.exe (Roxio)

O4 - HKLM..\Run: [RoxWatchTray] C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe (Sonic Solutions)

O4 - HKLM..\Run: [soundMan] C:\WINDOWS\SOUNDMAN.EXE (Realtek Semiconductor Corp.)

O4 - HKLM..\Run: [startCCC] C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe File not found

O4 - HKU\S-1-5-19..\Run: [internat.exe] File not found

O4 - HKU\S-1-5-20..\Run: [internat.exe] File not found

O4 - HKU\S-1-5-21-776561741-746137067-839522115-1000..\Run: [ccleaner] C:\Program Apps\CCleaner\ccleaner.exe (Piriform Ltd)

O4 - HKU\.DEFAULT..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe (Microsoft Corporation)

O4 - HKU\.DEFAULT..\RunOnce: [tscuninstall] C:\WINDOWS\SYSTEM32\tscupgrd.exe (Microsoft Corporation)

O4 - HKU\S-1-5-18..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe (Microsoft Corporation)

O4 - HKU\S-1-5-18..\RunOnce: [tscuninstall] C:\WINDOWS\SYSTEM32\tscupgrd.exe (Microsoft Corporation)

O4 - HKU\S-1-5-19..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe (Microsoft Corporation)

O4 - HKU\S-1-5-19..\RunOnce: [tscuninstall] C:\WINDOWS\SYSTEM32\tscupgrd.exe (Microsoft Corporation)

O4 - HKU\S-1-5-20..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe (Microsoft Corporation)

O4 - HKU\S-1-5-20..\RunOnce: [tscuninstall] C:\WINDOWS\SYSTEM32\tscupgrd.exe (Microsoft Corporation)

O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Infodelivery present

O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present

O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Toolbars present

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoCDBurning = 0

O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Control Panel present

O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Restrictions present

O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145

O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: CDRAutoRun = [binary data]

O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\Control Panel present

O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\Restrictions present

O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145

O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: CDRAutoRun = [binary data]

O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\Control Panel present

O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\Restrictions present

O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145

O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: CDRAutoRun = [binary data]

O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\Control Panel present

O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\Restrictions present

O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145

O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: CDRAutoRun = [binary data]

O7 - HKU\S-1-5-21-776561741-746137067-839522115-1000\Software\Policies\Microsoft\Internet Explorer\Control Panel present

O7 - HKU\S-1-5-21-776561741-746137067-839522115-1000\Software\Policies\Microsoft\Internet Explorer\Restrictions present

O7 - HKU\S-1-5-21-776561741-746137067-839522115-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 0

O7 - HKU\S-1-5-21-776561741-746137067-839522115-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: CDRAutoRun = [binary data]

O8 - Extra context menu item: Easy-WebPrint Add To Print List - C:\Program Files\Canon\Easy-WebPrint\Resource.dll ()

O8 - Extra context menu item: Easy-WebPrint High Speed Print - C:\Program Files\Canon\Easy-WebPrint\Resource.dll ()

O8 - Extra context menu item: Easy-WebPrint Preview - C:\Program Files\Canon\Easy-WebPrint\Resource.dll ()

O8 - Extra context menu item: Easy-WebPrint Print - C:\Program Files\Canon\Easy-WebPrint\Resource.dll ()

O9 - Extra 'Tools' menuitem : Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - Reg Error: Key error. File not found

O15 - HKU\.DEFAULT\..Trusted Domains: yahoo.com ([mail] https in Trusted sites)

O15 - HKU\S-1-5-18\..Trusted Domains: yahoo.com ([mail] https in Trusted sites)

O15 - HKU\S-1-5-19\..Trusted Domains: yahoo.com ([mail] https in Trusted sites)

O15 - HKU\S-1-5-20\..Trusted Domains: yahoo.com ([mail] https in Trusted sites)

O15 - HKU\S-1-5-21-776561741-746137067-839522115-1000\..Trusted Domains: yahoo.com ([mail] https in Trusted sites)

O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} https://activatemyfios.verizon.net/sdcCommo...20Installer.cab (Support.com Configuration Class)

O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} C:\Program Files\Yahoo!\Common\Yinsthelper.dll (Installation Support)

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} http://www.update.microsoft.com/windowsupd...b?1232414532531 (WUWebControl Class)

O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_21)

O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} http://v4.windowsupdate.microsoft.com/CAB/...8865.9233912037 (Reg Error: Key error.)

O16 - DPF: {C606BA60-AB76-48B6-96A7-2C4D5C386F70} http://www.verizon.net/checkmypc/includes/MotivePreQual.cab (PreQualifier Class)

O16 - DPF: {C7DEDA04-2FFF-4B81-AE66-0A0E0EF4AD2F} http://bartelldrugs.lifepics.com/net/Uploa...PUploader57.cab (Image Uploader Control)

O16 - DPF: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_21)

O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_21)

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab (Shockwave Flash Object)

O16 - DPF: DirectAnimation Java Classes file://C:\WINDOWS\SYSTEM\dajava.cab (Reg Error: Key error.)

O16 - DPF: Internet Explorer Classes for Java file://C:\WINDOWS\SYSTEM\iejava.cab (Reg Error: Key error.)

O16 - DPF: Microsoft XML Parser for Java file://C:\WINDOWS\Java\classes\xmldso4.cab (Reg Error: Key error.)

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.1

O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)

O20 - Winlogon\Notify\AtiExtEvent: DllName - Ati2evxx.dll - C:\WINDOWS\System32\ati2evxx.dll (ATI Technologies Inc.)

O20 - Winlogon\Notify\wzcnotif: DllName - wzcdlg.dll - C:\WINDOWS\System32\wzcdlg.dll (Microsoft Corporation)

O24 - Desktop WallPaper: C:\Documents and Settings\Richard\Local Settings\Application Data\Microsoft\Wallpaper1.bmp

O24 - Desktop BackupWallPaper: C:\Documents and Settings\Richard\Local Settings\Application Data\Microsoft\Wallpaper1.bmp

O30 - LSA: Authentication Packages - (relog_ap) - C:\WINDOWS\System32\relog_ap.dll (Acronis)

O32 - HKLM CDRom: AutoRun - 1

O32 - AutoRun File - [2007/06/30 12:39:32 | 000,000,259 | -H-- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]

O34 - HKLM BootExecute: (autocheck autochk *) - File not found

O35 - HKLM\..comfile [open] -- "%1" %*

O35 - HKLM\..exefile [open] -- "%1" %*

O37 - HKLM\...com [@ = comfile] -- "%1" %*

O37 - HKLM\...exe [@ = exefile] -- "%1" %*

NetSvcs: 6to4 - File not found

NetSvcs: Ias - File not found

NetSvcs: Iprip - File not found

NetSvcs: Irmon - File not found

NetSvcs: LanmanServer - File not found

NetSvcs: NWCWorkstation - File not found

NetSvcs: Nwsapagent - File not found

NetSvcs: WmdmPmSp - File not found

Drivers32: aux - C:\WINDOWS\System32\mmdrv.dll (Microsoft Corporation)

Drivers32: aux2 - File not found

Drivers32: aux3 - File not found

Drivers32: aux4 - File not found

Drivers32: aux5 - File not found

Drivers32: aux6 - File not found

Drivers32: aux7 - File not found

Drivers32: aux8 - File not found

Drivers32: aux9 - File not found

Drivers32: midi2 - File not found

Drivers32: midi3 - File not found

Drivers32: midi4 - File not found

Drivers32: midi5 - File not found

Drivers32: midi6 - File not found

Drivers32: midi7 - File not found

Drivers32: midi8 - File not found

Drivers32: midi9 - File not found

Drivers32: mixer2 - File not found

Drivers32: mixer3 - File not found

Drivers32: mixer4 - File not found

Drivers32: mixer5 - File not found

Drivers32: mixer6 - File not found

Drivers32: mixer7 - File not found

Drivers32: mixer8 - File not found

Drivers32: mixer9 - File not found

Drivers32: msacm.iac2 - C:\WINDOWS\SYSTEM32\iac25_32.ax (Intel Corporation)

Drivers32: msacm.l3acm - C:\WINDOWS\SYSTEM32\l3codeca.acm (Fraunhofer Institut Integrierte Schaltungen IIS)

Drivers32: msacm.lhacm - C:\WINDOWS\System32\lhacm.acm (Microsoft Corporation)

Drivers32: msacm.sl_anet - C:\WINDOWS\System32\sl_anet.acm (Sipro Lab Telecom Inc.)

Drivers32: msacm.trspch - C:\WINDOWS\System32\tssoft32.acm (DSP GROUP, INC.)

Drivers32: vidc.cvid - C:\WINDOWS\System32\iccvid.dll (Radius Inc.)

Drivers32: vidc.iv31 - C:\WINDOWS\System32\ir32_32.dll ()

Drivers32: vidc.iv32 - C:\WINDOWS\System32\ir32_32.dll ()

Drivers32: vidc.iv41 - C:\WINDOWS\System32\ir41_32.ax (Intel Corporation)

Drivers32: vidc.iv50 - C:\WINDOWS\System32\ir50_32.dll (Intel Corporation)

Drivers32: VIDC.VDOM - vdowave.drv File not found

Drivers32: wave - C:\WINDOWS\System32\serwvdrv.dll (Microsoft Corporation)

Drivers32: wave1 - C:\WINDOWS\System32\serwvdrv.dll (Microsoft Corporation)

Drivers32: wave2 - C:\WINDOWS\System32\serwvdrv.dll (Microsoft Corporation)

Drivers32: wave3 - C:\WINDOWS\System32\serwvdrv.dll (Microsoft Corporation)

Drivers32: wave6 - File not found

Drivers32: wave7 - File not found

Drivers32: wave8 - File not found

Drivers32: wave9 - File not found

CREATERESTOREPOINT

Restore point Set: OTL Restore Point (68130555115339776)

========== Files/Folders - Created Within 30 Days ==========

[2030/11/30 07:18:47 | 000,289,280 | ---- | C] (InstallShield Corporation, Inc.) -- C:\WINDOWS\uninst.exe

[2030/11/30 07:16:49 | 000,000,000 | ---D | C] -- C:\_Susan

[2030/11/30 07:12:40 | 000,000,000 | ---D | C] -- C:\_Richard

[2030/11/30 06:56:01 | 000,303,616 | ---- | C] (SUNIX CO., LTD.) -- C:\WINDOWS\System32\SPCIUNI.EXE

[2030/11/30 06:56:01 | 000,013,232 | ---- | C] (SUNIX CO., LTD.) -- C:\WINDOWS\System\COMUI.DLL

[2030/11/30 06:56:01 | 000,005,216 | ---- | C] (SUNIX CO., LTD.) -- C:\WINDOWS\System\PARAUI.DLL

[2030/11/30 04:04:56 | 000,000,000 | ---D | C] -- C:\WINDOWS\nview

[2030/11/30 04:04:28 | 000,000,000 | ---D | C] -- C:\WINDOWS\System\NVSYS

[2030/11/30 04:04:18 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\InstallShield

[2030/11/30 03:49:46 | 000,000,000 | ---D | C] -- C:\Program Apps

[2030/11/30 03:40:06 | 000,000,000 | ---D | C] -- C:\Program Files\Web Publish

[2030/11/30 03:40:04 | 000,000,000 | -H-D | C] -- C:\WINDOWS\msdownld.tmp

[2030/11/30 03:40:02 | 000,000,000 | -HSD | C] -- C:\WINDOWS\Installer

[2030/11/30 03:39:35 | 000,000,000 | ---D | C] -- C:\Program Files\Microsoft Visual Studio

[2030/11/30 03:39:33 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Designer

[2030/11/30 03:38:53 | 000,000,000 | ---D | C] -- C:\Program Files\Microsoft FrontPage

[2030/11/30 03:38:29 | 000,000,000 | ---D | C] -- C:\WINDOWS\Msagent

[2030/11/30 03:37:21 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\ODBC

[2030/11/30 03:37:21 | 000,000,000 | ---D | C] -- C:\Program Files\Microsoft Office

[2030/11/30 03:21:16 | 000,000,000 | -HSD | C] -- C:\RECYCLED

[2030/11/30 02:48:33 | 000,000,000 | ---D | C] -- C:\WINDOWS\System\CatRoot

[2030/11/30 02:48:21 | 000,000,000 | ---D | C] -- C:\Program Files\DirectX

[2030/11/30 02:47:40 | 000,000,000 | --SD | C] -- C:\WINDOWS\Downloaded Program Files

[2030/11/30 02:47:39 | 000,000,000 | R--D | C] -- C:\WINDOWS\Offline Web Pages

[2030/11/30 02:47:17 | 000,000,000 | ---D | C] -- C:\Program Files\Uninstall Information

[2030/11/30 02:46:48 | 000,000,000 | ---D | C] -- C:\WINDOWS\All Users

[2010/09/26 15:03:27 | 000,575,488 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Richard\Desktop\OTL.exe

[2010/09/26 14:59:20 | 000,000,000 | RH-D | C] -- C:\Documents and Settings\Richard\Recent

[2010/09/25 17:29:16 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Sun

[2010/09/25 17:29:15 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Java

[2010/09/25 17:28:28 | 000,000,000 | ---D | C] -- C:\Program Files\Java

[2010/09/25 16:40:14 | 000,000,000 | ---D | C] -- C:\Program Files\Canon

[2010/09/25 16:21:42 | 000,000,000 | ---D | C] -- C:\Documents and Settings\LocalService\Application Data\Macromedia

[2010/09/20 06:55:42 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Update

[2010/09/20 05:46:30 | 000,000,000 | ---D | C] -- C:\Program Files\Mozilla Firefox

[17 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]

[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2030/12/01 09:39:50 | 000,008,628 | -H-- | M] () -- C:\WINDOWS\System\hpr87r03.GID

[2030/12/01 09:31:40 | 000,008,628 | -H-- | M] () -- C:\WINDOWS\System\hpr87d03.GID

[2030/11/30 07:11:46 | 000,002,006 | ---- | M] () -- C:\WINDOWS\FONTSMRT.INI

[2030/11/30 07:11:44 | 000,047,523 | ---- | M] () -- C:\WINDOWS\HPFNT.$CH

[2030/11/30 07:09:52 | 000,000,004 | ---- | M] () -- C:\WINDOWS\System\DJCP.CFG

[2030/11/30 04:26:14 | 000,000,225 | ---- | M] () -- C:\WINDOWS\TELEPHON.INI

[2030/11/30 02:48:32 | 000,074,777 | ---- | M] () -- C:\WINDOWS\Default.sfc

[2030/11/30 02:48:20 | 000,188,448 | RH-- | M] () -- C:\WINDOWS\HWINFO.DAT

[2030/11/30 02:47:46 | 000,013,122 | -H-- | M] () -- C:\WINDOWS\System\folder.htt

[2030/11/30 02:47:02 | 000,000,000 | ---- | M] () -- C:\WINDOWS\progman.ini

[2010/09/26 15:03:28 | 000,575,488 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Richard\Desktop\OTL.exe

[2010/09/26 14:59:06 | 000,000,314 | -HS- | M] () -- C:\WINDOWS\tasks\HPLOHWF.job

[2010/09/26 14:59:06 | 000,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT

[2010/09/26 14:59:00 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat

[2010/09/26 14:58:56 | 2146,881,536 | -HS- | M] () -- C:\hiberfil.sys

[2010/09/26 13:17:07 | 006,291,456 | -H-- | M] () -- C:\Documents and Settings\Richard\NTUSER.DAT

[2010/09/26 13:17:07 | 000,000,178 | -HS- | M] () -- C:\Documents and Settings\Richard\ntuser.ini

[2010/09/26 13:17:02 | 004,842,166 | -H-- | M] () -- C:\Documents and Settings\Richard\Local Settings\Application Data\IconCache.db

[2010/09/26 13:15:08 | 000,001,324 | ---- | M] () -- C:\WINDOWS\System32\d3d9caps.dat

[2010/09/26 13:11:05 | 000,004,678 | ---- | M] () -- C:\WINDOWS\psdxport.ini

[2010/09/26 13:11:05 | 000,000,074 | ---- | M] () -- C:\WINDOWS\psdewin.ini

[2010/09/26 13:01:57 | 000,000,879 | ---- | M] () -- C:\Documents and Settings\Richard\Desktop\WordPad.lnk

[2010/09/26 12:46:00 | 000,000,418 | ---- | M] () -- C:\WINDOWS\tasks\Updater.job

[2010/09/25 16:49:12 | 000,002,572 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Word.lnk

[2010/09/25 07:28:26 | 000,000,112 | ---- | M] () -- C:\Documents and Settings\All Users\Application Data\35VhTbUFv.dat

[2010/09/25 06:57:13 | 000,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl

[2010/09/23 16:42:25 | 000,000,246 | ---- | M] () -- C:\Documents and Settings\Richard\Desktop\Shortcut to Security Center.lnk

[2010/09/22 19:23:38 | 000,000,000 | ---- | M] () -- C:\Documents and Settings\Richard\Desktop\defogger_reenable

[2010/09/20 07:10:49 | 000,001,327 | ---- | M] () -- C:\WINDOWS\win.ini

[2010/09/20 07:10:49 | 000,000,401 | ---- | M] () -- C:\WINDOWS\system.ini

[2010/09/20 07:10:49 | 000,000,211 | -HS- | M] () -- C:\boot.ini

[2010/09/19 14:50:03 | 000,808,368 | ---- | M] () -- C:\Documents and Settings\Richard\Local Settings\Application Data\rx_image.Cache

[2010/09/19 14:50:03 | 000,096,968 | ---- | M] () -- C:\Documents and Settings\Richard\Local Settings\Application Data\rx_audio.Cache

[2010/09/19 13:17:16 | 000,002,568 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Excell.lnk

[2010/09/19 11:28:56 | 000,008,850 | ---- | M] () -- C:\Documents and Settings\All Users\Application Data\.wtav

[17 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]

[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files Created - No Company Name ==========

[2030/12/01 09:35:41 | 000,008,628 | -H-- | C] () -- C:\WINDOWS\System\hpr87r03.GID

[2030/12/01 09:35:00 | 000,008,628 | -H-- | C] () -- C:\WINDOWS\System\hpr87t03.GID

[2030/12/01 09:33:09 | 000,008,628 | -H-- | C] () -- C:\WINDOWS\System\hpr87h03.GID

[2030/12/01 09:25:13 | 000,008,628 | -H-- | C] () -- C:\WINDOWS\System\hpr87d03.GID

[2030/11/30 07:11:42 | 000,047,523 | ---- | C] () -- C:\WINDOWS\HPFNT.$CH

[2030/11/30 07:09:50 | 000,000,004 | ---- | C] () -- C:\WINDOWS\System\DJCP.CFG

[2030/11/30 06:44:16 | 000,026,930 | -H-- | C] () -- C:\WINDOWS\ttfCache

[2030/11/30 05:01:09 | 000,009,030 | ---- | C] () -- C:\WINDOWS\hh.dat

[2030/11/30 04:25:55 | 000,091,800 | ---- | C] () -- C:\WINDOWS\System\IntelHaM.wwh

[2030/11/30 03:45:35 | 000,002,568 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Excell.lnk

[2030/11/30 03:44:58 | 000,002,572 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Word.lnk

[2030/11/30 03:23:19 | 000,016,384 | ---- | C] () -- C:\WINDOWS\MSIMGSIZ.DAT

[2030/11/30 02:48:31 | 000,074,777 | ---- | C] () -- C:\WINDOWS\Default.sfc

[2030/11/30 02:48:19 | 000,188,448 | RH-- | C] () -- C:\WINDOWS\HWINFO.DAT

[2030/11/30 02:47:45 | 000,021,952 | -H-- | C] () -- C:\Program Files\folder.htt

[2030/11/30 02:47:45 | 000,021,692 | -H-- | C] () -- C:\WINDOWS\System32\folder.htt

[2030/11/30 02:47:45 | 000,021,692 | -H-- | C] () -- C:\WINDOWS\folder.htt

[2030/11/30 02:47:45 | 000,013,122 | -H-- | C] () -- C:\WINDOWS\System\folder.htt

[2010/09/26 13:01:57 | 000,000,879 | ---- | C] () -- C:\Documents and Settings\Richard\Desktop\WordPad.lnk

[2010/09/25 07:18:37 | 000,000,112 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\35VhTbUFv.dat

[2010/09/23 17:43:39 | 2146,881,536 | -HS- | C] () -- C:\hiberfil.sys

[2010/09/23 16:42:25 | 000,000,246 | ---- | C] () -- C:\Documents and Settings\Richard\Desktop\Shortcut to Security Center.lnk

[2010/09/22 19:23:38 | 000,000,000 | ---- | C] () -- C:\Documents and Settings\Richard\Desktop\defogger_reenable

[2010/09/20 05:46:35 | 000,000,418 | ---- | C] () -- C:\WINDOWS\tasks\Updater.job

[2010/09/19 11:14:41 | 000,008,850 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\.wtav

[2009/10/11 16:24:11 | 000,056,056 | ---- | C] () -- C:\WINDOWS\System32\DLAAPI_W.DLL

[2009/02/20 13:46:51 | 000,096,968 | ---- | C] () -- C:\Documents and Settings\Richard\Local Settings\Application Data\rx_audio.Cache

[2009/01/21 12:44:47 | 000,065,536 | ---- | C] () -- C:\WINDOWS\System32\YCRWin32.dll

[2008/12/23 11:50:42 | 000,808,368 | ---- | C] () -- C:\Documents and Settings\Richard\Local Settings\Application Data\rx_image.Cache

[2008/04/14 05:41:26 | 000,533,568 | ---- | C] () -- C:\WINDOWS\System32\mszmgeke.dll

[2008/02/23 08:49:40 | 000,147,456 | R--- | C] () -- C:\WINDOWS\System32\RTLCPAPI.dll

[2008/02/16 16:38:01 | 000,000,007 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\DragToDiscUserNameD.txt

[2008/02/16 11:16:57 | 000,000,754 | ---- | C] () -- C:\WINDOWS\WORDPAD.INI

[2007/08/17 14:46:37 | 000,003,584 | ---- | C] () -- C:\Documents and Settings\Richard\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini

[2007/08/12 10:45:32 | 000,000,305 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\addr_file.html

[2007/08/11 10:08:08 | 000,001,793 | ---- | C] () -- C:\WINDOWS\System32\fxsperf.ini

[2007/06/30 13:18:23 | 000,007,680 | ---- | C] () -- C:\WINDOWS\System32\CNMVS64.DLL

[2007/06/30 12:43:09 | 000,012,327 | ---- | C] () -- C:\WINDOWS\IOS.INI

[2007/06/30 12:43:09 | 000,007,885 | ---- | C] () -- C:\WINDOWS\NETDET.INI

[2007/06/30 12:43:09 | 000,005,068 | ---- | C] () -- C:\WINDOWS\DELETEFI.INI

[2007/06/30 12:43:09 | 000,004,678 | ---- | C] () -- C:\WINDOWS\psdxport.ini

[2007/06/30 12:43:09 | 000,003,598 | ---- | C] () -- C:\WINDOWS\HTMLHELP.INI

[2007/06/30 12:43:09 | 000,002,006 | ---- | C] () -- C:\WINDOWS\FONTSMRT.INI

[2007/06/30 12:43:09 | 000,001,076 | ---- | C] () -- C:\WINDOWS\HPRDJC03.INI

[2007/06/30 12:43:09 | 000,001,015 | ---- | C] () -- C:\WINDOWS\ODBC.INI

[2007/06/30 12:43:09 | 000,000,865 | ---- | C] () -- C:\WINDOWS\DOSREP.INI

[2007/06/30 12:43:09 | 000,000,804 | ---- | C] () -- C:\WINDOWS\cdplayer.ini

[2007/06/30 12:43:09 | 000,000,787 | ---- | C] () -- C:\WINDOWS\SCANREG.INI

[2007/06/30 12:43:09 | 000,000,656 | ---- | C] () -- C:\WINDOWS\TRPMAKER.INI

[2007/06/30 12:43:09 | 000,000,314 | ---- | C] () -- C:\WINDOWS\BKCheck.INI

[2007/06/30 12:43:09 | 000,000,260 | ---- | C] () -- C:\WINDOWS\wininit.ini

[2007/06/30 12:43:09 | 000,000,225 | ---- | C] () -- C:\WINDOWS\TELEPHON.INI

[2007/06/30 12:43:09 | 000,000,164 | ---- | C] () -- C:\WINDOWS\avrack.ini

[2007/06/30 12:43:09 | 000,000,150 | ---- | C] () -- C:\WINDOWS\RtlRack.ini

[2007/06/30 12:43:09 | 000,000,120 | ---- | C] () -- C:\WINDOWS\PROTOCOL.INI

[2007/06/30 12:43:09 | 000,000,074 | ---- | C] () -- C:\WINDOWS\psdewin.ini

[2007/06/30 12:43:09 | 000,000,060 | ---- | C] () -- C:\WINDOWS\POWERPNT.INI

[2007/06/30 12:43:09 | 000,000,054 | ---- | C] () -- C:\WINDOWS\WAVEMIX.INI

[2007/06/30 12:43:09 | 000,000,037 | ---- | C] () -- C:\WINDOWS\Viewer.ini

[2007/06/30 12:43:09 | 000,000,028 | ---- | C] () -- C:\WINDOWS\QTW.INI

[2007/06/30 12:43:09 | 000,000,026 | ---- | C] () -- C:\WINDOWS\MSOFFICE.INI

[2007/06/30 12:43:09 | 000,000,000 | ---- | C] () -- C:\WINDOWS\progman.ini

[2007/06/30 12:43:09 | 000,000,000 | ---- | C] () -- C:\WINDOWS\OPPRINTSERVER.INI

[2007/01/23 03:46:46 | 000,000,000 | ---- | C] () -- C:\WINDOWS\System32\px.ini

[2007/01/15 11:34:16 | 000,035,576 | ---- | C] () -- C:\WINDOWS\System32\besched.dll

[2006/12/13 23:02:32 | 000,520,192 | ---- | C] () -- C:\WINDOWS\System32\CddbPlaylist2Roxio.dll

[2006/12/13 23:02:32 | 000,204,800 | ---- | C] () -- C:\WINDOWS\System32\CddbFileTaggerRoxio.dll

[2003/12/13 07:56:13 | 000,057,344 | ---- | C] () -- C:\WINDOWS\System32\icmfilter.dll

[2003/10/02 01:00:00 | 000,208,896 | ---- | C] () -- C:\WINDOWS\System32\lockout.dll

[2003/10/02 01:00:00 | 000,045,056 | ---- | C] () -- C:\WINDOWS\System32\lockres.dll

[2003/06/20 05:00:00 | 000,176,400 | ---- | C] () -- C:\WINDOWS\System32\qcut.dll

[2002/12/18 16:10:36 | 000,006,048 | ---- | C] () -- C:\WINDOWS\System32\MCC16.DLL

[1999/09/25 03:36:24 | 000,088,816 | ---- | C] () -- C:\WINDOWS\System32\drivers\lvcam.sys

[1999/09/25 03:36:22 | 000,017,424 | ---- | C] () -- C:\WINDOWS\System32\drivers\lvsound.sys

[1999/04/23 15:22:00 | 000,188,416 | ---- | C] () -- C:\WINDOWS\System32\MEMBG.DLL

[1999/01/22 11:46:58 | 000,065,536 | ---- | C] () -- C:\WINDOWS\System32\MSRTEDIT.DLL

========== LOP Check ==========

[2009/12/25 15:30:37 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\FreeRIP

[2008/02/15 19:05:29 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Maxtor

[2009/01/21 12:49:58 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\NetZero

[2010/03/03 21:18:24 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\ParetoLogic

[2010/09/20 06:55:42 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Update

[2010/03/02 14:41:29 | 000,000,000 | -HSD | M] -- C:\Documents and Settings\express\Application Data\lowsec

[2010/07/31 13:13:39 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Richard\Application Data\ElevatedDiagnostics

[2010/07/17 19:41:18 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Richard\Application Data\ImgBurn

[2009/09/13 15:46:13 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Richard\Application Data\OpenOffice.org

[2009/10/11 16:00:09 | 000,001,042 | -H-- | M] () -- C:\WINDOWS\Tasks\RCHubTask 0 0 {2E6E3A14-F6F5-404E-AC33-87F20083074D} 0~0.job

[2010/08/07 14:00:00 | 000,000,502 | ---- | M] () -- C:\WINDOWS\Tasks\Tune-up Application Start.job

[2010/09/26 12:46:00 | 000,000,418 | ---- | M] () -- C:\WINDOWS\Tasks\Updater.job

========== Purity Check ==========

========== Custom Scans ==========

< %SYSTEMDRIVE%\*.* >

[2007/06/30 12:39:32 | 000,000,259 | -H-- | M] () -- C:\AUTOEXEC.BAT

[2007/06/30 12:39:33 | 000,000,010 | -H-- | M] () -- C:\BOOT.DOS

[2010/09/20 07:10:49 | 000,000,211 | -HS- | M] () -- C:\boot.ini

[2007/06/30 05:19:44 | 000,000,512 | -HS- | M] () -- C:\BOOTSECT.DOS

[2007/06/30 12:39:32 | 000,000,027 | ---- | M] () -- C:\CONFIG.SYS

[2010/09/26 14:58:56 | 2146,881,536 | -HS- | M] () -- C:\hiberfil.sys

[1999/04/23 15:22:00 | 000,222,390 | RHS- | M] () -- C:\IO.SYS

[2007/06/30 12:39:32 | 000,000,079 | ---- | M] () -- C:\MSDOS.SYS

[2009/01/21 12:42:25 | 000,001,142 | ---- | M] () -- C:\NTDClient.log

[2008/04/13 22:13:04 | 000,047,564 | RHS- | M] () -- C:\NTDETECT.COM

[2008/04/14 00:01:44 | 000,250,048 | RHS- | M] () -- C:\ntldr

[2010/09/26 14:58:55 | 2145,386,496 | -HS- | M] () -- C:\pagefile.sys

[2010/07/30 19:28:10 | 000,000,425 | ---- | M] () -- C:\rkill.log

[2010/03/03 20:42:12 | 000,002,918 | ---- | M] () -- C:\rollback.ini

[2009/01/21 12:45:03 | 000,000,146 | ---- | M] () -- C:\YServer.txt

< %systemroot%\Fonts\*.com >

[2006/04/18 16:39:28 | 000,026,040 | ---- | M] () -- C:\WINDOWS\FONTS\GlobalMonospace.CompositeFont

[2006/06/29 15:53:56 | 000,026,489 | ---- | M] () -- C:\WINDOWS\FONTS\GlobalSansSerif.CompositeFont

[2006/04/18 16:39:28 | 000,029,779 | ---- | M] () -- C:\WINDOWS\FONTS\GlobalSerif.CompositeFont

[2006/06/29 15:58:52 | 000,030,808 | ---- | M] () -- C:\WINDOWS\FONTS\GlobalUserInterface.CompositeFont

< %systemroot%\Fonts\*.dll >

< %systemroot%\Fonts\*.ini >

[2010/07/28 21:27:30 | 000,000,067 | -HS- | M] () -- C:\WINDOWS\FONTS\desktop.ini

< %systemroot%\Fonts\*.ini2 >

< %systemroot%\Fonts\*.exe >

< %systemroot%\system32\spool\prtprocs\w32x86\*.* >

[2004/04/22 22:00:00 | 000,017,920 | ---- | M] (CANON INC.) -- C:\WINDOWS\SYSTEM32\spool\prtprocs\w32x86\CNMPD64.DLL

[2004/04/22 22:00:00 | 000,054,272 | ---- | M] (CANON INC.) -- C:\WINDOWS\SYSTEM32\spool\prtprocs\w32x86\CNMPP64.DLL

[2008/07/06 05:06:10 | 000,089,088 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\SYSTEM32\spool\prtprocs\w32x86\filterpipelineprintproc.dll

[2008/07/06 03:50:03 | 000,597,504 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\SYSTEM32\spool\prtprocs\w32x86\printfilterpipelinesvc.exe

< %systemroot%\REPAIR\*.bak1 >

< %systemroot%\REPAIR\*.ini >

< %systemroot%\system32\*.jpg >

< %systemroot%\*.jpg >

< %systemroot%\*.png >

< %systemroot%\*.scr >

< %systemroot%\*._sy >

< %APPDATA%\Adobe\Update\*.* >

< %ALLUSERSPROFILE%\Favorites\*.* >

< %APPDATA%\Microsoft\*.* >

< %PROGRAMFILES%\*.* >

[2007/06/30 12:43:09 | 000,000,305 | -HS- | M] () -- C:\Program Files\desktop.ini

[2007/06/30 12:38:21 | 000,021,952 | -H-- | M] () -- C:\Program Files\folder.htt

< %APPDATA%\Update\*.* >

< %systemroot%\*. /mp /s >

< %systemroot%\System32\config\*.sav >

[2010/07/28 14:05:52 | 003,932,160 | ---- | M] () -- C:\WINDOWS\SYSTEM32\config\default.sav

[2010/07/28 20:50:02 | 000,262,144 | ---- | M] () -- C:\WINDOWS\SYSTEM32\config\security.sav

[2010/07/28 14:05:52 | 034,340,864 | ---- | M] () -- C:\WINDOWS\SYSTEM32\config\software.sav

[2010/07/28 14:05:52 | 008,126,464 | ---- | M] () -- C:\WINDOWS\SYSTEM32\config\system.sav

< %PROGRAMFILES%\bak. /s >

< %systemroot%\system32\bak. /s >

< %ALLUSERSPROFILE%\Start Menu\*.lnk /x >

[2010/07/28 21:28:05 | 000,000,294 | -HS- | M] () -- C:\Documents and Settings\All Users\Start Menu\desktop.ini

< %systemroot%\system32\config\systemprofile\*.dat /x >

< %systemroot%\*.config >

< %systemroot%\system32\*.db >

< %APPDATA%\Microsoft\Internet Explorer\Quick Launch\*.lnk /x >

[2009/01/17 17:03:14 | 000,000,119 | -HS- | M] () -- C:\Documents and Settings\Richard\Application Data\Microsoft\Internet Explorer\Quick Launch\desktop.ini

[2007/06/30 12:50:03 | 000,000,079 | ---- | M] () -- C:\Documents and Settings\Richard\Application Data\Microsoft\Internet Explorer\Quick Launch\Show Desktop.scf

< %USERPROFILE%\Desktop\*.exe >

[2010/09/26 15:03:28 | 000,575,488 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Richard\Desktop\OTL.exe

< %PROGRAMFILES%\Common Files\*.* >

< %systemroot%\*.src >

< %systemroot%\install\*.* >

< %systemroot%\system32\DLL\*.* >

< %systemroot%\system32\HelpFiles\*.* >

< %systemroot%\system32\rundll\*.* >

< %systemroot%\winn32\*.* >

< %systemroot%\Java\*.* >

< %systemroot%\system32\test\*.* >

< %systemroot%\system32\Rundll32\*.* >

< %systemroot%\AppPatch\Custom\*.* >

< %APPDATA%\Roaming\Microsoft\Windows\Recent\*.lnk /x >

< %PROGRAMFILES%\PC-Doctor\Downloads\*.* >

< %PROGRAMFILES%\Internet Explorer\*.tmp >

< %PROGRAMFILES%\Internet Explorer\*.dat >

[2003/12/13 07:56:06 | 008,119,098 | RH-- | M] () -- C:\Program Files\Internet Explorer\ie5bak.DAT

[2006/05/29 02:11:20 | 008,227,462 | RH-- | M] () -- C:\Program Files\Internet Explorer\ie6bak.DAT

< %USERPROFILE%\My Documents\*.exe >

< %USERPROFILE%\*.exe >

< %systemroot%\ADDINS\*.* >

[2004/08/04 05:00:00 | 000,000,791 | ---- | M] () -- C:\WINDOWS\addins\fxsext.ecf

< %systemroot%\assembly\*.bak2 >

< %systemroot%\Config\*.* >

[2003/06/20 05:00:00 | 000,000,654 | ---- | M] () -- C:\WINDOWS\CONFIG\general.idf

[2003/06/20 05:00:00 | 000,000,658 | ---- | M] () -- C:\WINDOWS\CONFIG\hindered.idf

[2003/06/20 05:00:00 | 000,000,302 | ---- | M] () -- C:\WINDOWS\CONFIG\msadlib.idf

< %systemroot%\REPAIR\*.bak2 >

< %systemroot%\SECURITY\Database\*.sdb /x >

< %systemroot%\SYSTEM\*.bak2 >

< %systemroot%\Web\*.bak2 >

< %systemroot%\Driver Cache\*.* >

< %PROGRAMFILES%\Mozilla Firefox\0*.exe >

< %ProgramFiles%\Microsoft Common\*.* >

< %ProgramFiles%\TinyProxy. >

< %USERPROFILE%\Favorites\*.url /x >

[2009/01/17 17:03:14 | 000,000,122 | -HS- | M] () -- C:\Documents and Settings\Richard\Favorites\desktop.ini

< %systemroot%\system32\*.bk >

< %systemroot%\*.te >

< %systemroot%\system32\system32\*.* >

< %ALLUSERSPROFILE%\*.dat /x >

[2007/08/11 10:21:37 | 000,002,346 | RHS- | M] () -- C:\Documents and Settings\All Users\ntuser.pol

< %systemroot%\system32\drivers\*.rmv >

< dir /b "%systemroot%\system32\*.exe" | find /i " " /c >

internat .exe

< dir /b "%systemroot%\*.exe" | find /i " " /c >

< %PROGRAMFILES%\Microsoft\*.* >

< %systemroot%\System32\Wbem\proquota.exe >

< %PROGRAMFILES%\Mozilla Firefox\*.dat >

< %USERPROFILE%\Cookies\*.txt /x >

[2010/07/31 13:26:19 | 000,000,067 | -HS- | M] () -- C:\Documents and Settings\Richard\Cookies\desktop.ini

[2010/09/26 15:11:49 | 000,049,152 | -HS- | M] () -- C:\Documents and Settings\Richard\Cookies\index.dat

< %SystemRoot%\system32\fonts\*.* >

< %systemroot%\system32\winlog\*.* >

< %systemroot%\system32\Language\*.* >

< %systemroot%\system32\Settings\*.* >

< %systemroot%\system32\*.quo >

< %SYSTEMROOT%\AppPatch\*.exe >

< %SYSTEMROOT%\inf\*.exe >

[2008/04/14 05:42:40 | 000,208,896 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\inf\unregmp2.exe

< %SYSTEMROOT%\Installer\*.exe >

< %systemroot%\system32\config\*.bak2 >

< %systemroot%\system32\Computers\*.* >

< %SystemRoot%\system32\Sound\*.* >

< %SystemRoot%\system32\SpecialImg\*.* >

< %SystemRoot%\system32\code\*.* >

< %SystemRoot%\system32\draft\*.* >

< %SystemRoot%\system32\MSSSys\*.* >

< %ProgramFiles%\Javascript\*.* >

< %systemroot%\pchealth\helpctr\System\*.exe /s >

< %systemroot%\Web\*.exe >

< %systemroot%\system32\msn\*.* >

< %systemroot%\system32\*.tro >

< %AppData%\Microsoft\Installer\msupdates\*.* >

< %ProgramFiles%\Messenger\*.exe >

[2008/04/14 06:42:30 | 001,695,232 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Messenger\msmsgs.exe

< %systemroot%\system32\systhem32\*.* >

< %systemroot%\system\*.exe >

[1998/03/25 09:00:00 | 000,038,160 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\SYSTEM\MAPISRVR.EXE

< %USERPROFILE%\Templates\*.tmp >

< %SYSTEMDRIVE%\explorexxx.exe\*.* >

< %Windir%\Installer\*.tmp >

[2 C:\WINDOWS\Installer\*.tmp files -> C:\WINDOWS\Installer\*.tmp -> ]

< %systemroot%\System32\*.xco >

< %ProgramFiles%\system32\*.* >

< %systemroot%\System32\windos\*.* >

< %SystemRoot%\system32\sandbox\*.* >

< %SystemRoot%\system32\*.amo >

< %SystemRoot%\system32\Windows Live\*.* >

< %ProgramFiles%\logs\*.* >

< %ProgramFiles%\Bifrost\*.* >

< %SystemRoot%\system32\*.goo >

< %systemroot%\system32\IME\*.* >

< %systemroot%\BackUp\*.* >

< %systemroot%\system32\*.ico >

< %systemroot%\system\*.dat >

< %systemroot%\system\*.exe >

[1998/03/25 09:00:00 | 000,038,160 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\SYSTEM\MAPISRVR.EXE

< %AppData%\Macromedia\Common\*.* >

< %SYSTEMDRIVE%\dir\*.* /s >

< %systemroot%\system32\ras\*.exe >

< %SYSTEMDRIVE%\MFILES\*.* >

< %SYSTEMDRIVE%\mDNSRespon.exe\*.* >

< %systemroot%\system32\services\*.* >

< %systemroot%\Spooler\*.* >

< %ProgramFiles%\system32\*.* >

< %systemroot%\system32\Setup\*.dll /x >

[2003/06/20 05:00:00 | 000,147,456 | ---- | M] () -- C:\WINDOWS\SYSTEM32\Setup\wmpocm.exe

< %systemroot%\system32\*.mine >

< %SYSTEMDRIVE%\cleansweep.exe\*.* >

< %systemroot%\system32\ras\*.dll >

< %systemroot%\system32\ras\*.drv >

< %systemroot%\*.iq >

< %systemroot%\system32\XP\*.* >

< %SYSTEMDRIVE%\Extracted\*.* >

< %systemroot%\system32\windows\*.* >

< %systemroot%\logs\*.* >

< %SYSTEMDRIVE%\Win.Msi\*.* >

< %systemroot%\regedit\*.* >

< %systemroot%\system32\skype\*.* >

< %AppData%\Adobe\dlluplwin25\*.* >

< %UserProfile%\*.dat >

[2010/09/26 13:17:07 | 006,291,456 | -H-- | M] () -- C:\Documents and Settings\Richard\NTUSER.DAT

< %UserProfile%\*.dll >

< %systemroot%\system32\*.sxo >

< %SYSTEMDRIVE%\Gazma\*.* /s >

< %systemroot%\system32\spynet\*.* >

< %systemroot%\system32\System\*.* >

< %appdata%\Microsoft\Windows\*.* >

< %systemroot%\system32\WinDir\*.* >

< %systemroot%\_\*.* >

< %systemroot%\system32\windows32\*.* >

< %ProgramFiles%\win\*.* >

< %AppData%\Microsoft\CD Burning\*.* >

< %systemroot%\*.cab >

[1999/04/23 15:22:00 | 000,006,325 | ---- | M] () -- C:\WINDOWS\RUNHELP.CAB

[17 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]

< %systemroot%\K.Backup\*.* >

< %ProgramFiles%\Massenger\*.* >

< %systemroot%\System32\*.doc >

< %systemroot%\Office12\*.* >

< %systemroot%\System32\Rundl32.exe\*.* >

< %ProgramFiles%\yahoo.net\*.* >

< %systemroot%\system32\*.igo >

< %systemroot%\*.rew >

< %systemroot%\System32\spool\DRIVERS\W32X86\3\*.exe >

[2004/04/22 22:00:00 | 000,080,896 | ---- | M] (CANON INC.) -- C:\WINDOWS\SYSTEM32\spool\drivers\w32x86\3\CNMPV64.EXE

[2004/04/22 22:00:00 | 000,008,704 | ---- | M] (CANON INC.) -- C:\WINDOWS\SYSTEM32\spool\drivers\w32x86\3\CNMSD64.EXE

[2004/04/22 22:00:00 | 000,130,048 | ---- | M] (CANON INC.) -- C:\WINDOWS\SYSTEM32\spool\drivers\w32x86\3\CNMSM64.EXE

[2004/04/22 22:00:00 | 000,006,656 | ---- | M] (CANON INC.) -- C:\WINDOWS\SYSTEM32\spool\drivers\w32x86\3\CNMSQ64.EXE

< %USERPROFILE%\.COMMgr\*.* >

< %USERPROFILE%\Desktop\*.bat >

< %PROGRAMFILES%\Common Files\Real\visualizations\*.* >

< %PROGRAMFILES%\Internet Explorer\*.Jmp >

< %PROGRAMFILES%\Windows NT\system\*.dll >

< %systemroot%\system32\*.ext >

< %systemroot%\system32\Com\*.cfg >

< %systemroot%\system32\btz\*.* >

< %systemroot%\system32\EMP\*.* >

< %systemroot%\system32\expo\*.* >

< %systemroot%\system32\inet2\*.* >

< %systemroot%\system32\xrem\*.* >

< %ProgramFiles%\Microsoft\*.* >

< %systemroot%\usgwmt\*.* >

< %ProgramFiles%\B\*.* >

< %SYSTEMDRIVE%\lspp\*.* >

< %systemroot%\Kral\*.* >

< %SYSTEMDRIVE%\windowsdvd.exe\*.* >

< %systemroot%\system32\*.ipo >

< %SYSTEMDRIVE%\usxxxxxxxx.exe\*.* >

< %systemroot%\system32\*.mof >

< %systemroot%\*.atm >

< %systemroot%\system32\svhost\*.* >

< %ProgramFiles%\system32\*.* >

< %ProgramFiles%\Docmentt\*.* >

< %systemroot%\Help\*.vbs >

< %ProgramFiles%\Windows WinSxs\*.* /s >

< %ProgramFiles%\Outlook Express\IDT\*.* /s >

< %ProgramFiles%\Microsoft Office\365\*.* /s >

< %ProgramFiles%\Windows Live\*.* >

< %systemroot%\system32\win32\*.* >

< %SYSTEMDRIVE%\RECYCLER\*.* >

< %systemroot%\Fresh1\*.* >

< %ProgramFiles%\Kekj\*.* /s >

< %systemroot%\GDU\*.* >

< %systemroot%\KA\*.* >

< %systemroot%\R\*.* >

< %systemroot%\system32\*.fyo >

< HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU >

< HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install|LastSuccessTime /rs >

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install\\LastSuccessTime: 2010-09-15 19:09:50

< End of report >

OTL Extras logfile created on: 9/26/2010 3:09:35 PM - Run 1

OTL by OldTimer - Version 3.2.14.1 Folder = C:\Documents and Settings\Richard\Desktop

Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation

Internet Explorer (Version = 8.0.6001.18702)

Locale: 00000409 | Country: United States | Language: enu | Date Format: M/d/yyyy

2.00 Gb Total Physical Memory | 2.00 Gb Available Physical Memory | 77.00% Memory free

4.00 Gb Paging File | 3.00 Gb Available in Paging File | 91.00% Paging File free

Paging file location(s): c:\pagefile.sys 2046 4092 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files

Drive C: | 149.05 Gb Total Space | 131.02 Gb Free Space | 87.91% Space Free | Partition Type: NTFS

D: Drive not present or media not loaded

E: Drive not present or media not loaded

F: Drive not present or media not loaded

G: Drive not present or media not loaded

H: Drive not present or media not loaded

I: Drive not present or media not loaded

Computer Name: X9R2D1

Current User Name: Richard

Logged in as Administrator.

Current Boot Mode: Normal

Scan Mode: All users

Company Name Whitelist: On

Skip Microsoft Files: On

File Age = 30 Days

Output = Standard

========== Extra Registry (SafeList) ==========

========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]

batfile [open] -- "%1" %*

cmdfile [open] -- "%1" %*

comfile [open] -- "%1" %*

exefile [open] -- "%1" %*

htmlfile [edit] -- "C:\Program Files\Microsoft Office\Office\msohtmed.exe" %1 (Microsoft Corporation)

htmlfile [print] -- "C:\Program Files\Microsoft Office\Office\msohtmed.exe" /p %1 (Microsoft Corporation)

piffile [open] -- "%1" %*

regfile [merge] -- Reg Error: Key error.

scrfile [config] -- %1

scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)

scrfile [open] -- "%1" /S

txtfile [edit] -- Reg Error: Key error.

Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1

Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)

Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)

Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]

"FirstRunDisabled" = 1

"AntiVirusDisableNotify" = 0

"FirewallDisableNotify" = 0

"UpdatesDisableNotify" = 0

"AntiVirusOverride" = 1

"FirewallOverride" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

========== System Restore Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore]

"DisableSR" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sr]

"Start" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SrService]

"Start" = 2

========== Firewall Settings ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List]

"1900:UDP" = 1900:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22007

"2869:TCP" = 2869:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22008

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]

"EnableFirewall" = 1

"DoNotAllowExceptions" = 0

"DisableNotifications" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]

"139:TCP" = 139:TCP:LocalSubNet:Disabled:@xpsp2res.dll,-22004

"445:TCP" = 445:TCP:LocalSubNet:Disabled:@xpsp2res.dll,-22005

"137:UDP" = 137:UDP:LocalSubNet:Disabled:@xpsp2res.dll,-22001

"138:UDP" = 138:UDP:LocalSubNet:Disabled:@xpsp2res.dll,-22002

"3389:TCP" = 3389:TCP:*:Disabled:@xpsp2res.dll,-22009

"1900:UDP" = 1900:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22007

"2869:TCP" = 2869:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22008

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]

"C:\WINDOWS\SYSTEM32\DRIVERS\svchost.exe" = C:\WINDOWS\SYSTEM32\DRIVERS\svchost.exe:*:Disabled:svchost -- File not found

"C:\WINDOWS\explorer.exe" = C:\WINDOWS\explorer.exe:*:Disabled:Windows Explorer -- (Microsoft Corporation)

"C:\Program Files\NetZero\exec.exe" = C:\Program Files\NetZero\exec.exe:*:Disabled:NetZero Internet -- File not found

"C:\Program Files\Yahoo!\Messenger\YServer.exe" = C:\Program Files\Yahoo!\Messenger\YServer.exe:*:Disabled:Yahoo! FT Server -- (Yahoo! Inc.)

"C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" = C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe:*:Disabled:Yahoo! Messenger -- (Yahoo! Inc.)

========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]

"{00000409-78E1-11D2-B60F-006097C998E7}" = Microsoft Office 2000 Premium

"{055EE59D-217B-43A7-ABFF-507B966405D8}" = CCC

"{08094E03-AFE4-4853-9D31-6D0743DF5328}" = QuickTime

"{093A80A1-92F7-D9D8-C8C6-AE6566A827D1}" = CCC Help English

"{126E6746-FF34-7E89-958A-10962BCBB018}" = CCC Help Hungarian

"{1D566B14-2394-127D-659F-C16D2AC291DC}" = Catalyst Control Center Graphics Light

"{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148

"{26A24AE4-039D-4CA4-87B4-2F83216021FF}" = Java 6 Update 21

"{29547059-DD7E-2BB3-5223-61602BF56F41}" = Catalyst Control Center Localization German

"{2F4C24E6-CBD4-4AAC-B56F-C9FD44DE5668}" = Roxio Drag-to-Disc

"{2FF0B16F-3432-DB6B-459E-E03F8135F141}" = CCC Help Norwegian

"{30465B6C-B53F-49A1-9EBA-A3F187AD502E}" = Roxio Update Manager

"{3202F20F-E213-252F-8529-2653E4558F4F}" = Catalyst Control Center Localization Dutch

"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP

"{37A5AFB4-83E9-1EE8-DE50-1DD4818DA501}" = Catalyst Control Center Localization Russian

"{37F0ACE2-859D-C2D0-6FF8-BC011A610AE9}" = CCC Help Chinese Standard

"{393C2F00-49C1-E7B3-A87B-01909ED23C0F}" = ccc-core-preinstall

"{3B43C260-159E-C9F2-880C-0CCD8A84DAC8}" = Catalyst Control Center Localization Norwegian

"{3CCAA865-CDA8-739D-36D9-BB44EA645B43}" = Catalyst Control Center Localization Polish

"{40D526A6-1B11-9DCA-F206-3D2784898E0D}" = CCC Help Finnish

"{41DC8F20-AA5F-29C9-FD6F-D22A86AB2DFE}" = Catalyst Control Center Graphics Full Existing

"{437881D1-41B0-7A15-800A-8283CF6CDDC9}" = Catalyst Control Center Localization Japanese

"{4A03706F-666A-4037-7777-5F2748764D10}" = Java Auto Updater

"{501451DE-5808-4599-B544-8BD0915B6B24}_is1" = FreeRIP v3.1

"{52C3B25C-B92B-6E85-3165-496F88CBB191}" = CCC Help Danish

"{5ADDED30-31B6-62E6-9ACC-289B2BC4254E}" = CCC Help German

"{5C0344E2-5E8C-E685-8B5F-4A44C58E426A}" = Catalyst Control Center Localization Thai

"{66C28209-87A4-309B-BE9A-B3C9948FB161}" = Catalyst Control Center Localization French

"{6A9DBCC6-4C9B-2575-9F13-0097846F422D}" = ccc-utility

"{6EB6A8DD-EED3-BA20-716C-BFB2330F94E8}" = Catalyst Control Center Localization Turkish

"{6F716D8C-398F-11D3-85E1-005004838609}" = WebFldrs

"{74B85B80-1868-66EE-FC48-201EF564F004}" = CCC Help French

"{7A796561-0B04-82DD-B604-1DF9C660AC10}" = Catalyst Control Center Localization Korean

"{7D1097F4-255C-5DF0-1DD2-18BC6850AB85}" = ccc-core-static

"{7E308E9F-C736-B32E-AD23-3AFC78BD3804}" = Catalyst Control Center Localization Hungarian

"{81A60A13-224D-4637-8203-3EAC03B121A4}" = Maxtor

Link to post
Share on other sites

Thanks!

It's a rootkit present. Let's go after it.

Step 1.

TDSSKiller:

Please read carefully and follow these steps.

  • Download TDSSKiller and save it to your Desktop.
  • Extract its contents to your desktop.
  • Once extracted, open the TDSSKiller folder and doubleclick on TDSSKiller.exe to run the application, then on Start Scan.
    TDSSKillermain.png
  • If an infected file is detected, the default action will be Cure, click on Continue.
    TDSSKillerMal-1.png
  • If a suspicious file is detected, the default action will be Skip, click on Continue.
    TDSSKillerSuspicious.png
  • It may ask you to reboot the computer to complete the process. Click on Reboot Now.
    TDSSKillerCompleted.png
  • If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.
  • If a reboot is required, the report can also be found in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste the contents of that file here.

Step 2.

ComboFix:

Download ComboFix from one of these locations:

Link 2

Link 3

* IMPORTANT !!! Save ComboFix.exe to your Desktop

  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. Here is a howto for some of the applications.
    They may otherwise interfere with our tools
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

RcAuto1.gif

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

whatnext.png

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

Step 3.

Things I would like to see in your reply:

  • The content of the report from TDSSkiller in step 1.
  • The content of C:\ComboFix.txt from step 2.
  • Information on now your computer runs after those steps

Link to post
Share on other sites

below is the TDSSkiller and combofix text files.

The infected PC we have been working on will no longer communicate on the internet.

- internet explorer ie8 will not connet and displays a connection error

- malwarebytes gives the following error when I attempt to update

MBAM_ERROR_UPDATING (12007, 0, WinttttpSendRequest)

- avira will not update.

Note that I have been using another pc to communicate to mwb for this whole time as the infected pc would not allow me to post to mwb.

Otherwise the pc reboots, looks "normal", ran a mwb quick scan and copies files to a memory stick.

2010/09/26 16:25:26.0812 TDSS rootkit removing tool 2.4.2.1 Sep 7 2010 14:43:44

2010/09/26 16:25:26.0812 ================================================================================

2010/09/26 16:25:26.0812 SystemInfo:

2010/09/26 16:25:26.0812

2010/09/26 16:25:26.0812 OS Version: 5.1.2600 ServicePack: 3.0

2010/09/26 16:25:26.0812 Product type: Workstation

2010/09/26 16:25:26.0812 ComputerName: X9R2D1

2010/09/26 16:25:26.0812 UserName: Richard

2010/09/26 16:25:26.0812 Windows directory: C:\WINDOWS

2010/09/26 16:25:26.0812 System windows directory: C:\WINDOWS

2010/09/26 16:25:26.0812 Processor architecture: Intel x86

2010/09/26 16:25:26.0812 Number of processors: 2

2010/09/26 16:25:26.0812 Page size: 0x1000

2010/09/26 16:25:26.0812 Boot type: Normal boot

2010/09/26 16:25:26.0812 ================================================================================

2010/09/26 16:25:27.0031 Initialize success

2010/09/26 16:25:34.0796 ================================================================================

2010/09/26 16:25:34.0796 Scan started

2010/09/26 16:25:34.0796 Mode: Manual;

2010/09/26 16:25:34.0796 ================================================================================

2010/09/26 16:25:35.0171 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys

2010/09/26 16:25:35.0187 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys

2010/09/26 16:25:35.0281 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys

2010/09/26 16:25:35.0359 AFD (7e775010ef291da96ad17ca4b17137d7) C:\WINDOWS\System32\drivers\afd.sys

2010/09/26 16:25:35.0562 ALCXWDM (744cd5d2a92c34513c34e855cd651988) C:\WINDOWS\system32\drivers\ALCXWDM.SYS

2010/09/26 16:25:35.0843 AmdK7 (8fce268cdbdd83b23419d1f35f42c7b1) C:\WINDOWS\system32\DRIVERS\amdk7.sys

2010/09/26 16:25:35.0921 Arp1394 (b5b8a80875c1dededa8b02765642c32f) C:\WINDOWS\system32\DRIVERS\arp1394.sys

2010/09/26 16:25:36.0140 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys

2010/09/26 16:25:36.0203 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys

2010/09/26 16:25:36.0406 ati2mtag (0c2ca1c294938139829b1983a0c38b31) C:\WINDOWS\system32\DRIVERS\ati2mtag.sys

2010/09/26 16:25:36.0640 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys

2010/09/26 16:25:36.0671 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys

2010/09/26 16:25:36.0734 avgio (0b497c79824f8e1bf22fa6aacd3de3a0) C:\Program Files\Avira\AntiVir Desktop\avgio.sys

2010/09/26 16:25:36.0859 avgntflt (a88d29d928ad2b830e87b53e3f9bc182) C:\WINDOWS\system32\DRIVERS\avgntflt.sys

2010/09/26 16:25:36.0937 avipbb (1289e9a5d9118a25a13c0009519088e3) C:\WINDOWS\system32\DRIVERS\avipbb.sys

2010/09/26 16:25:36.0984 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys

2010/09/26 16:25:37.0109 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys

2010/09/26 16:25:37.0234 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys

2010/09/26 16:25:37.0312 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys

2010/09/26 16:25:37.0375 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys

2010/09/26 16:25:37.0828 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys

2010/09/26 16:25:37.0890 DLABMFSM (ace95725b7d9e12227590f4c2e47707f) C:\WINDOWS\system32\DLA\DLABMFSM.SYS

2010/09/26 16:25:37.0921 DLABOIOM (f872cf678b07a7a415bc78c309c433a8) C:\WINDOWS\system32\DLA\DLABOIOM.SYS

2010/09/26 16:25:37.0968 DLACDBHM (5230cdb7e715f3a3b4a882e254cdd35d) C:\WINDOWS\system32\Drivers\DLACDBHM.SYS

2010/09/26 16:25:38.0000 DLADResM (0049cb1260d08b4e28ae28073ab6d6bf) C:\WINDOWS\system32\DLA\DLADResM.SYS

2010/09/26 16:25:38.0015 DLAIFS_M (8d74e30d25a962485c4620fbc795c576) C:\WINDOWS\system32\DLA\DLAIFS_M.SYS

2010/09/26 16:25:38.0031 DLAOPIOM (d4523b4284191c5824e79a4959cf8103) C:\WINDOWS\system32\DLA\DLAOPIOM.SYS

2010/09/26 16:25:38.0078 DLAPoolM (8330839e47287595545d4d4abdea2b18) C:\WINDOWS\system32\DLA\DLAPoolM.SYS

2010/09/26 16:25:38.0093 DLARTL_M (77fe51f0f8d86804cb81f6ef6bfb86dd) C:\WINDOWS\system32\Drivers\DLARTL_M.SYS

2010/09/26 16:25:38.0125 DLAUDFAM (c1574997b02ed1c1fdde8ef66106ad90) C:\WINDOWS\system32\DLA\DLAUDFAM.SYS

2010/09/26 16:25:38.0156 DLAUDF_M (4bbb14b293a9ec274361b0a543c78f80) C:\WINDOWS\system32\DLA\DLAUDF_M.SYS

2010/09/26 16:25:38.0250 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys

2010/09/26 16:25:38.0359 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\DRIVERS\dmio.sys

2010/09/26 16:25:38.0421 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys

2010/09/26 16:25:38.0484 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys

2010/09/26 16:25:38.0578 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys

2010/09/26 16:25:38.0640 DRVMCDB (0377e9deadd761f3cfb2fc4255e1e76d) C:\WINDOWS\system32\drivers\drvmcdb.sys

2010/09/26 16:25:38.0687 DRVNDDM (ffc371525aa55d1bae18715ebcb8797c) C:\WINDOWS\system32\Drivers\DRVNDDM.SYS

2010/09/26 16:25:38.0796 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys

2010/09/26 16:25:38.0828 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\DRIVERS\fdc.sys

2010/09/26 16:25:38.0953 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys

2010/09/26 16:25:39.0078 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\DRIVERS\flpydisk.sys

2010/09/26 16:25:39.0140 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\drivers\fltmgr.sys

2010/09/26 16:25:39.0203 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys

2010/09/26 16:25:39.0265 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys

2010/09/26 16:25:39.0343 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys

2010/09/26 16:25:39.0421 HidUsb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys

2010/09/26 16:25:39.0531 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys

2010/09/26 16:25:39.0640 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys

2010/09/26 16:25:39.0687 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys

2010/09/26 16:25:39.0843 IntelC51 (85ca973d95135f6f74238a018f69e44d) C:\WINDOWS\system32\DRIVERS\IntelC51.sys

2010/09/26 16:25:39.0968 IntelC52 (e1d238147ac19039bca809658cb20cad) C:\WINDOWS\system32\DRIVERS\IntelC52.sys

2010/09/26 16:25:40.0046 IntelC53 (3383223de14ed309e6c80d0de4cb623a) C:\WINDOWS\system32\DRIVERS\IntelC53.sys

2010/09/26 16:25:40.0093 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\drivers\ip6fw.sys

2010/09/26 16:25:40.0171 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys

2010/09/26 16:25:40.0218 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys

2010/09/26 16:25:40.0359 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys

2010/09/26 16:25:40.0406 IPSEC (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys

2010/09/26 16:25:40.0468 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys

2010/09/26 16:25:40.0515 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys

2010/09/26 16:25:40.0531 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys

2010/09/26 16:25:40.0593 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys

2010/09/26 16:25:40.0640 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys

2010/09/26 16:25:40.0765 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys

2010/09/26 16:25:40.0828 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys

2010/09/26 16:25:40.0859 MODEMCSA (1992e0d143b09653ab0f9c5e04b0fd65) C:\WINDOWS\system32\drivers\MODEMCSA.sys

2010/09/26 16:25:40.0937 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys

2010/09/26 16:25:40.0984 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys

2010/09/26 16:25:41.0031 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys

2010/09/26 16:25:41.0218 MREMP50 (9bd4dcb5412921864a7aacdedfbd1923) C:\PROGRA~1\COMMON~1\Motive\MREMP50.SYS

2010/09/26 16:25:41.0265 MRESP50 (07c02c892e8e1a72d6bf35004f0e9c5e) C:\PROGRA~1\COMMON~1\Motive\MRESP50.SYS

2010/09/26 16:25:41.0359 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys

2010/09/26 16:25:41.0484 MRxSmb (f3aefb11abc521122b67095044169e98) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys

2010/09/26 16:25:41.0671 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys

2010/09/26 16:25:41.0750 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys

2010/09/26 16:25:41.0796 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys

2010/09/26 16:25:41.0859 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys

2010/09/26 16:25:41.0890 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys

2010/09/26 16:25:41.0984 Mup (2f625d11385b1a94360bfc70aaefdee1) C:\WINDOWS\system32\drivers\Mup.sys

2010/09/26 16:25:42.0046 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys

2010/09/26 16:25:42.0093 ndisrd (1359b200974395679b092f1d5f63cfa9) C:\WINDOWS\system32\DRIVERS\ndisrd.sys

2010/09/26 16:25:42.0125 NdisTapi (1ab3d00c991ab086e69db84b6c0ed78f) C:\WINDOWS\system32\DRIVERS\ndistapi.sys

2010/09/26 16:25:42.0218 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys

2010/09/26 16:25:42.0281 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys

2010/09/26 16:25:42.0296 NDProxy (6215023940cfd3702b46abc304e1d45a) C:\WINDOWS\system32\drivers\NDProxy.sys

2010/09/26 16:25:42.0375 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys

2010/09/26 16:25:42.0406 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys

2010/09/26 16:25:42.0500 NIC1394 (e9e47cfb2d461fa0fc75b7a74c6383ea) C:\WINDOWS\system32\DRIVERS\nic1394.sys

2010/09/26 16:25:42.0546 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys

2010/09/26 16:25:42.0562 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys

2010/09/26 16:25:42.0609 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys

2010/09/26 16:25:42.0687 nv (2b298519edbfcf451d43e0f1e8f1006d) C:\WINDOWS\system32\DRIVERS\nv4_mini.sys

2010/09/26 16:25:42.0875 NVENETFD (974551a956f3269f460d4b18101eec46) C:\WINDOWS\system32\DRIVERS\NVENETFD.sys

2010/09/26 16:25:42.0937 nvnetbus (7fc2baf84006f28cb9f477a167fff9ba) C:\WINDOWS\system32\DRIVERS\nvnetbus.sys

2010/09/26 16:25:43.0000 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys

2010/09/26 16:25:43.0046 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys

2010/09/26 16:25:43.0125 ohci1394 (ca33832df41afb202ee7aeb05145922f) C:\WINDOWS\system32\DRIVERS\ohci1394.sys

2010/09/26 16:25:43.0218 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\DRIVERS\parport.sys

2010/09/26 16:25:43.0250 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys

2010/09/26 16:25:43.0281 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys

2010/09/26 16:25:43.0296 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys

2010/09/26 16:25:43.0406 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys

2010/09/26 16:25:43.0453 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\drivers\Pcmcia.sys

2010/09/26 16:25:43.0734 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys

2010/09/26 16:25:43.0796 Processor (a32bebaf723557681bfc6bd93e98bd26) C:\WINDOWS\system32\DRIVERS\processr.sys

2010/09/26 16:25:43.0828 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys

2010/09/26 16:25:43.0906 PxHelp20 (1962166e0ceb740704f30fa55ad3d509) C:\WINDOWS\system32\Drivers\PxHelp20.sys

2010/09/26 16:25:44.0218 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys

2010/09/26 16:25:44.0343 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys

2010/09/26 16:25:44.0359 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys

2010/09/26 16:25:44.0421 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys

2010/09/26 16:25:44.0453 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys

2010/09/26 16:25:44.0500 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys

2010/09/26 16:25:44.0546 rdpdr (15cabd0f7c00c47c70124907916af3f1) C:\WINDOWS\system32\DRIVERS\rdpdr.sys

2010/09/26 16:25:44.0640 RDPWD (6728e45b66f93c08f11de2e316fc70dd) C:\WINDOWS\system32\drivers\RDPWD.sys

2010/09/26 16:25:44.0734 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys

2010/09/26 16:25:44.0843 RxFilter (0639cccaaba8b52f9d83830fbd80bcfa) C:\WINDOWS\system32\DRIVERS\RxFilter.sys

2010/09/26 16:25:44.0937 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys

2010/09/26 16:25:45.0031 serenum (0f29512ccd6bead730039fb4bd2c85ce) C:\WINDOWS\system32\DRIVERS\serenum.sys

2010/09/26 16:25:45.0046 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\DRIVERS\serial.sys

2010/09/26 16:25:45.0093 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys

2010/09/26 16:25:45.0203 snapman (b6aa9bbff890ffea333ffe81d0b888ff) C:\WINDOWS\system32\DRIVERS\snapman.sys

2010/09/26 16:25:45.0328 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys

2010/09/26 16:25:45.0421 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys

2010/09/26 16:25:45.0484 ssmdrv (a36ee93698802cd899f98bfd553d8185) C:\WINDOWS\system32\DRIVERS\ssmdrv.sys

2010/09/26 16:25:45.0531 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys

2010/09/26 16:25:45.0578 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys

2010/09/26 16:25:45.0734 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys

2010/09/26 16:25:45.0828 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys

2010/09/26 16:25:45.0890 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys

2010/09/26 16:25:45.0937 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys

2010/09/26 16:25:45.0984 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys

2010/09/26 16:25:46.0046 tifsfilter (b84b82c0cbeb1b0d7eb7a946bade5830) C:\WINDOWS\system32\DRIVERS\tifsfilt.sys

2010/09/26 16:25:46.0078 timounter (74711884439bdf9ccf446c79cb05fac0) C:\WINDOWS\system32\DRIVERS\timntr.sys

2010/09/26 16:25:46.0187 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys

2010/09/26 16:25:46.0328 UnlockerDriver5 (f365fa561c3ab455d8685770d208691a) C:\Program Files\Unlocker\UnlockerDriver5.sys

2010/09/26 16:25:46.0484 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys

2010/09/26 16:25:46.0546 usbaudio (e919708db44ed8543a7c017953148330) C:\WINDOWS\system32\drivers\usbaudio.sys

2010/09/26 16:25:46.0593 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys

2010/09/26 16:25:46.0640 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys

2010/09/26 16:25:46.0687 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys

2010/09/26 16:25:46.0734 usbhub20 (b0205d19ba25ca654810d0aed04496a8) C:\WINDOWS\system32\DRIVERS\usbhub20.sys

2010/09/26 16:25:46.0796 usbohci (0daecce65366ea32b162f85f07c6753b) C:\WINDOWS\system32\DRIVERS\usbohci.sys

2010/09/26 16:25:46.0875 usbprint (a717c8721046828520c9edf31288fc00) C:\WINDOWS\system32\DRIVERS\usbprint.sys

2010/09/26 16:25:46.0921 usbscan (a0b8cf9deb1184fbdd20784a58fa75d4) C:\WINDOWS\system32\DRIVERS\usbscan.sys

2010/09/26 16:25:46.0968 USBSTOR (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS

2010/09/26 16:25:47.0015 usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\WINDOWS\system32\DRIVERS\usbuhci.sys

2010/09/26 16:25:47.0046 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys

2010/09/26 16:25:47.0093 ViaIde (3b3efcda263b8ac14fdf9cbdd0791b2e) C:\WINDOWS\system32\DRIVERS\viaide.sys

2010/09/26 16:25:47.0125 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys

2010/09/26 16:25:47.0171 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys

2010/09/26 16:25:47.0250 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys

2010/09/26 16:25:47.0359 WpdUsb (1385e5aa9c9821790d33a9563b8d2dd0) C:\WINDOWS\system32\Drivers\wpdusb.sys

2010/09/26 16:25:47.0421 \HardDisk0\MBR - detected Rootkit.Win32.TDSS.tdl4 (0)

2010/09/26 16:25:47.0421 ================================================================================

2010/09/26 16:25:47.0421 Scan finished

2010/09/26 16:25:47.0421 ================================================================================

2010/09/26 16:25:47.0437 Detected object count: 1

2010/09/26 16:26:30.0031 \HardDisk0\MBR - will be cured after reboot

2010/09/26 16:26:30.0031 Rootkit.Win32.TDSS.tdl4(\HardDisk0\MBR) - User select action: Cure

2010/09/26 16:26:44.0281 Deinitialize success

ComboFix 10-09-25.07 - Richard 09/26/2010 16:45:50.1.2 - x86

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.1621 [GMT -7:00]

Running from: c:\documents and settings\Richard\Desktop\ComboFix.exe

AV: AntiVir Desktop *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}

* Resident AV is active

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\documents and settings\All Users\Application Data\.wtav

c:\documents and settings\express\Local Settings\Application Data\{B3D46E75-B70C-432B-8FD9-E55D6AB9E7EA}

c:\documents and settings\express\Local Settings\Application Data\{B3D46E75-B70C-432B-8FD9-E55D6AB9E7EA}\chrome.manifest

c:\documents and settings\express\Local Settings\Application Data\{B3D46E75-B70C-432B-8FD9-E55D6AB9E7EA}\chrome\content\_cfg.js

c:\documents and settings\express\Local Settings\Application Data\{B3D46E75-B70C-432B-8FD9-E55D6AB9E7EA}\chrome\content\overlay.xul

c:\documents and settings\express\Local Settings\Application Data\{B3D46E75-B70C-432B-8FD9-E55D6AB9E7EA}\install.rdf

c:\documents and settings\Richard\Local Settings\Application Data\{AA7F9527-EFF8-42AB-8C9F-8F795EEEA453}

c:\documents and settings\Richard\Local Settings\Application Data\{AA7F9527-EFF8-42AB-8C9F-8F795EEEA453}\chrome.manifest

c:\documents and settings\Richard\Local Settings\Application Data\{AA7F9527-EFF8-42AB-8C9F-8F795EEEA453}\chrome\content\_cfg.js

c:\documents and settings\Richard\Local Settings\Application Data\{AA7F9527-EFF8-42AB-8C9F-8F795EEEA453}\chrome\content\overlay.xul

c:\documents and settings\Richard\Local Settings\Application Data\{AA7F9527-EFF8-42AB-8C9F-8F795EEEA453}\install.rdf

c:\program files\Mozilla Firefox\searchplugins\google_search.xml

c:\windows\start.exe

c:\windows\system32\1060890998.dat

c:\windows\Web\default.htt

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

-------\Legacy_ROXMEDIADB9DMSERVER

-------\Legacy_SYSMONLOGNETLOGON

-------\Service_IAS

-------\Service_ndisrd

-------\Service_RoxMediaDB9dmserver

-------\Service_SysmonLogNetlogon

((((((((((((((((((((((((( Files Created from 2010-08-26 to 2010-09-26 )))))))))))))))))))))))))))))))

.

2030-11-30 14:18 . 1996-03-05 15:59 289280 ----a-w- c:\windows\uninst.exe

2030-11-30 14:16 . 2010-09-25 23:52 -------- d-----w- C:\_Susan

2030-11-30 14:12 . 2010-09-26 20:09 -------- d-----w- C:\_Richard

2030-11-30 13:56 . 2001-07-15 03:36 5216 ----a-w- c:\windows\system\PARAUI.DLL

2030-11-30 13:56 . 2001-07-15 03:36 303616 ----a-w- c:\windows\system32\SPCIUNI.EXE

2030-11-30 13:56 . 2001-07-15 03:36 13232 ----a-w- c:\windows\system\COMUI.DLL

2030-11-30 12:01 . 2006-05-27 17:15 9030 ----a-w- c:\windows\hh.dat

2030-11-30 11:04 . 2007-06-30 20:01 -------- d---a-w- c:\windows\nview

2030-11-30 11:04 . 2003-06-22 20:41 3436544 ----a-w- c:\windows\system32\nvopengl.dll

2030-11-30 11:04 . 2003-06-18 13:31 5632 ----a-w- c:\windows\system32\nvarch32.dll

2030-11-30 11:04 . 2003-06-18 13:31 2667520 ----a-w- c:\windows\system32\nvdd32.dll

2030-11-30 11:04 . 2003-06-18 13:31 20480 ----a-w- c:\windows\system\nvarch16.dll

2030-11-30 11:04 . 2030-11-30 11:04 -------- d---a-w- c:\windows\system\NVSYS

2030-11-30 11:04 . 2003-06-18 13:31 94208 ----a-w- c:\windows\system32\nvinst32.dll

2030-11-30 11:04 . 2003-06-18 13:31 57344 ----a-w- c:\windows\system32\nvsvc.exe

2030-11-30 11:04 . 2003-06-18 13:31 32448 ----a-w- c:\windows\system\nvmode.dll

2030-11-30 11:04 . 2008-02-16 23:28 -------- d---a-w- c:\program files\Common Files\InstallShield

2030-11-30 10:49 . 2010-04-28 16:50 -------- d-----w- C:\Program Apps

2030-11-30 10:40 . 1998-09-11 09:16 91920 ----a-w- c:\windows\system32\FPWPP.DLL

2030-11-30 10:40 . 2030-11-30 10:40 -------- d---a-w- c:\program files\Web Publish

2030-11-30 10:40 . 2010-07-10 02:25 -------- d--ha-w- c:\windows\msdownld.tmp

2030-11-30 10:40 . 2010-09-26 00:29 -------- d-sh--w- c:\windows\Installer

2030-11-30 10:38 . 2030-11-30 10:38 -------- d---a-w- c:\program files\Microsoft FrontPage

2030-11-30 10:38 . 2010-09-23 02:10 -------- d---a-w- c:\windows\Msagent

2030-11-30 10:23 . 2003-12-13 14:54 16384 ----a-w- c:\windows\MSIMGSIZ.DAT

2030-11-30 09:48 . 2030-11-30 09:48 -------- d---a-w- c:\windows\system\CatRoot

2030-11-30 09:48 . 2030-11-30 09:48 -------- d---a-w- c:\program files\DirectX

2030-11-30 09:48 . 2030-11-30 09:48 188448 ---ha-r- c:\windows\HWINFO.DAT

2030-11-30 09:48 . 1999-04-23 22:22 131072 ----a-w- c:\windows\system\mapi32.dll

2030-11-30 09:47 . 2010-07-31 20:27 -------- d-s---w- c:\windows\Downloaded Program Files

2030-11-30 09:46 . 2007-06-30 19:39 -------- d---a-w- c:\windows\All Users

2010-09-26 00:29 . 2010-09-26 00:29 -------- d-----w- c:\program files\Common Files\Java

2010-09-26 00:29 . 2010-09-26 00:29 503808 ----a-w- c:\documents and settings\Richard\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-5893930e-n\msvcp71.dll

2010-09-26 00:29 . 2010-09-26 00:29 499712 ----a-w- c:\documents and settings\Richard\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-5893930e-n\jmc.dll

2010-09-26 00:29 . 2010-09-26 00:29 348160 ----a-w- c:\documents and settings\Richard\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-5893930e-n\msvcr71.dll

2010-09-26 00:29 . 2010-09-26 00:29 61440 ----a-w- c:\documents and settings\Richard\Application Data\Sun\Java\Deployment\SystemCache\6.0\42\4488892a-1a9aad28-n\decora-sse.dll

2010-09-26 00:29 . 2010-09-26 00:29 12800 ----a-w- c:\documents and settings\Richard\Application Data\Sun\Java\Deployment\SystemCache\6.0\42\4488892a-1a9aad28-n\decora-d3d.dll

2010-09-26 00:28 . 2010-09-26 00:28 423656 ----a-w- c:\windows\system32\deployJava1.dll

2010-09-26 00:28 . 2010-09-26 00:28 -------- d-----w- c:\program files\Java

2010-09-25 23:40 . 2010-09-25 23:42 -------- d-----w- c:\program files\Canon

2010-09-20 13:55 . 2010-09-20 13:55 -------- d-----w- c:\documents and settings\All Users\Application Data\Update

2010-09-20 12:49 . 2010-09-20 12:49 -------- d-sh--w- c:\documents and settings\LocalService\PrivacIE

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2030-11-30 10:43 . 2030-11-30 10:43 5058 ----a-w- c:\windows\HELP\hhcolreg.dat

2030-11-30 09:48 . 2030-11-30 09:47 93271 ----a-w- c:\windows\JAVA\Packages\8JJH39JT.ZIP

2030-11-30 09:48 . 2030-11-30 09:47 2232 ----a-w- c:\windows\JAVA\Packages\Data\7P3NFR9V.DAT

2030-11-30 09:48 . 2030-11-30 09:47 558142 ----a-w- c:\windows\JAVA\Packages\EAQALV79.ZIP

2030-11-30 09:48 . 2030-11-30 09:47 2474 ----a-w- c:\windows\JAVA\Packages\Data\B5VRVZH3.DAT

2030-11-30 09:47 . 2030-11-30 09:47 2474 ----a-w- c:\windows\JAVA\Packages\Data\97HZZTBL.DAT

2030-11-30 09:47 . 2030-11-30 09:47 156441 ----a-w- c:\windows\JAVA\Packages\3ZJ3797J.ZIP

2030-11-30 09:47 . 2030-11-30 09:47 2678 ----a-w- c:\windows\JAVA\Packages\Data\S0DJ7FNF.DAT

2030-11-30 09:47 . 2030-11-30 09:47 2678 ----a-w- c:\windows\JAVA\Packages\Data\EJF3JB7P.DAT

2030-11-30 09:47 . 2030-11-30 09:47 2678 ----a-w- c:\windows\JAVA\Packages\Data\O757BPZX.DAT

2030-11-30 09:47 . 2030-11-30 09:47 2678 ----a-w- c:\windows\JAVA\Packages\Data\LBNN7XBT.DAT

2030-11-30 09:47 . 2030-11-30 09:47 2678 ----a-w- c:\windows\JAVA\Packages\Data\9Z9F5V5N.DAT

2010-09-26 20:15 . 2010-07-10 02:05 1324 ----a-w- c:\windows\system32\d3d9caps.dat

2010-09-25 14:28 . 2010-09-25 14:18 112 ----a-w- c:\documents and settings\All Users\Application Data\35VhTbUFv.dat

2010-09-25 14:21 . 2009-01-21 19:18 -------- d-----w- c:\program files\Verizon

2010-09-24 00:45 . 2010-03-02 02:30 86928 ----a-w- c:\documents and settings\express\Local Settings\Application Data\GDIPFONTCACHEV1.DAT

2010-08-29 15:52 . 2010-08-29 15:52 24 ----a-w- c:\documents and settings\express\Application Data\hngmfc.dat

2010-08-26 16:13 . 2010-01-31 21:29 0 ----a-w- c:\documents and settings\express\Local Settings\Application Data\Bruki.dat

2010-08-22 18:32 . 2010-01-31 16:58 0 ----a-w- c:\windows\Bruki.dat

2010-08-17 13:17 . 2008-04-14 12:42 58880 ----a-w- c:\windows\system32\spoolsv.exe

2010-07-31 20:13 . 2010-07-18 01:55 -------- d-----w- c:\documents and settings\Richard\Application Data\ElevatedDiagnostics

2010-07-31 02:29 . 2010-03-04 04:31 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2010-07-29 05:00 . 2007-08-11 17:49 86928 ----a-w- c:\documents and settings\Richard\Local Settings\Application Data\GDIPFONTCACHEV1.DAT

2010-07-29 04:25 . 2007-06-30 19:37 23820 ----a-w- c:\windows\system32\emptyregdb.dat

2010-07-29 03:14 . 2010-07-29 03:14 -------- d-----w- c:\documents and settings\express\Application Data\Avira

2010-07-22 15:49 . 2008-04-14 12:42 590848 ----a-w- c:\windows\system32\rpcrt4.dll

2010-07-22 05:57 . 2010-01-22 00:50 5120 ----a-w- c:\windows\system32\xpsp4res.dll

2010-06-30 12:31 . 2008-04-14 12:42 149504 ----a-w- c:\windows\system32\schannel.dll

2007-06-30 19:38 . 2030-11-30 09:47 21952 ---ha-w- c:\program files\folder.htt

2010-03-04 04:27 . 2010-03-04 03:42 1010720 --sha-w- c:\windows\SYSTEM32\DRIVERS\fidbox.dat

2010-03-04 04:27 . 2010-03-04 03:42 16928 --sha-w- c:\windows\SYSTEM32\DRIVERS\fidbox2.dat

.

<pre>
c:\program files\Verizon\McciTrayApp .exe
c:\windows\SYSTEM32\internat .exe
</pre>

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2010-03-02 282792]

"Synchronization Manager"="c:\windows\system32\mobsync.exe" [2008-04-14 143360]

"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [N/A]

"SoundMan"="SOUNDMAN.EXE" [2006-11-16 577536]

"RoxWatchTray"="c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe" [2007-01-11 232184]

"RoxioDragToDisc"="c:\program files\Roxio\Drag-to-Disc\DrgToDsc.exe" [2007-02-12 1121016]

"QuickTime Task"="c:\program apps\QuickTime\qttask.exe" [2007-04-27 282624]

"MaxBlastMonitor.exe"="c:\program files\Maxtor\MaxBlast\MaxBlastMonitor.exe" [2007-04-20 1169720]

"DMXLauncher"="c:\program files\Roxio\CinePlayer\DMXLauncher.exe" [2007-01-17 109304]

"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2010-06-17 40368]

"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-06-09 976832]

"AcronisTimounterMonitor"="c:\program files\Maxtor\MaxBlast\TimounterMonitor.exe" [2007-04-20 1945712]

"Acronis Scheduler2 Service"="c:\program files\Common Files\Maxtor\Schedule2\schedhlp.exe" [2007-04-20 149024]

"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]

"^SetupICWDesktop"="c:\program files\Internet Explorer\Connection Wizard\icwconn1.exe" [2008-04-14 214528]

"tscuninstall"="c:\windows\system32\tscupgrd.exe" [2004-08-04 44544]

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"c:\\WINDOWS\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\WINDOWS\\system32\\sessmgr.exe"=

"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=

"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"%windir%\\system32\\sessmgr.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"3389:TCP"= 3389:TCP:*:Disabled:@xpsp2res.dll,-22009

R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [6/23/2009 8:48 PM 135336]

S0 abtjxmb;abtjxmb; [x]

S2 AntiVirUpgradeService;Avira Upgrade Service;"c:\docume~1\Richard\LOCALS~1\Temp\AVSETUP_4a41a030\basic\avupgsvc.exe" /TEMPSTART:""c:\docume~1\Richard\LOCALS~1\Temp\AVSETUP_4a41a030\basic\setup.exe" /NOTEMPCLEANUP /CROSSUPGRADE" --> c:\docume~1\Richard\LOCALS~1\Temp\AVSETUP_4a41a030\basic\avupgsvc.exe [?]

S3 atidgllk;atidgllk;\??\c:\docume~1\Richard\LOCALS~1\Temp\~Af26490\Upgrade\atidgllk.sys --> c:\docume~1\Richard\LOCALS~1\Temp\~Af26490\Upgrade\atidgllk.sys [?]

S3 usbhub20;USB 2.0 Root Hub Support;c:\windows\SYSTEM32\DRIVERS\usbhub20.sys [6/30/2007 5:31 AM 49776]

.

Contents of the 'Scheduled Tasks' folder

2009-10-11 c:\windows\Tasks\RCHubTask 0 0 {2E6E3A14-F6F5-404E-AC33-87F20083074D} 0~0.job

- c:\program files\Common Files\Roxio Shared\9.0\Roxio Central33\Main\Roxio_Central33.exe [2007-01-16 02:08]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.google.com/

uSearchURL,(Default) = hxxp://my.netzero.net/s/search?r=minisearch

IE: Easy-WebPrint Add To Print List - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html

IE: Easy-WebPrint High Speed Print - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html

IE: Easy-WebPrint Preview - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html

IE: Easy-WebPrint Print - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html

Trusted Zone: yahoo.com\mail

DPF: DirectAnimation Java Classes - file://c:\windows\SYSTEM\dajava.cab

DPF: Internet Explorer Classes for Java - file://c:\windows\SYSTEM\iejava.cab

DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso4.cab

DPF: {C7DEDA04-2FFF-4B81-AE66-0A0E0EF4AD2F} - hxxp://bartelldrugs.lifepics.com/net/Uploader/LPUploader57.cab

.

- - - - ORPHANS REMOVED - - - -

Toolbar-Locked - (no file)

ShellIconOverlayIdentifiers-{7D688A77-C613-11D0-999B-00C04FD655E1} - (no file)

AddRemove-Verizon Online Help and Support - c:\progra~1\Verizon\UNWISE.EXE

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2010-09-26 16:56

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully

user: MBR read successfully

called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x89CBFC76]<<

kernel: MBR read successfully

detected MBR rootkit hooks:

\Driver\Disk -> CLASSPNP.SYS @ 0xba10cf28

\Driver\ACPI -> ACPI.sys @ 0xb9f7fcb8

\Driver\atapi -> atapi.sys @ 0xb9f11852

IoDeviceObjectType -> DeleteProcedure -> ntkrnlpa.exe @ 0x805836a8

ParseProcedure -> ntkrnlpa.exe @ 0x805827e8

\Device\Harddisk0\DR0 -> DeleteProcedure -> ntkrnlpa.exe @ 0x805836a8

ParseProcedure -> ntkrnlpa.exe @ 0x805827e8

NDIS: -> SendCompleteHandler -> 0x0

PacketIndicateHandler -> 0x0

SendHandler -> 0x0

user & kernel MBR OK

**************************************************************************

.

--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]

@Denied: (A 2) (Everyone)

@="FlashBroker"

"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10i_ActiveX.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]

"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]

@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10i_ActiveX.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]

@Denied: (A 2) (Everyone)

@="IFlashBroker4"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]

@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

"Version"="1.0"

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(412)

c:\windows\system32\WININET.dll

c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'lsass.exe'(472)

c:\windows\system32\WININET.dll

c:\windows\system32\relog_ap.dll

- - - - - - - > 'explorer.exe'(4024)

c:\windows\system32\WININET.dll

c:\windows\system32\ieframe.dll

c:\windows\system32\webcheck.dll

.

------------------------ Other Running Processes ------------------------

.

c:\windows\system32\Ati2evxx.exe

c:\windows\system32\Ati2evxx.exe

c:\windows\system32\rundll32.exe

c:\program files\Common Files\Maxtor\Schedule2\schedul2.exe

c:\program files\Avira\AntiVir Desktop\avguard.exe

c:\program files\Java\jre6\bin\jqs.exe

c:\program files\Common Files\Motive\McciCMService.exe

c:\program files\Avira\AntiVir Desktop\avshadow.exe

c:\windows\SOUNDMAN.EXE

.

**************************************************************************

.

Completion time: 2010-09-26 17:00:36 - machine was rebooted

ComboFix-quarantined-files.txt 2010-09-27 00:00

Pre-Run: 140,548,860,928 bytes free

Post-Run: 140,551,766,528 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe

[boot loader]

timeout=2

default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS

[operating systems]

c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

UnsupportedDebug="do not select this" /debug

multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

- - End Of File - - 10AFA9608113F729A8E1E2F928E39FC8

Link to post
Share on other sites

Something I should point out, regarding CCleaner and similar products

It's not recommended to use of registry cleaners. These often cause more problems than they fix. One of the Experts here at Geekstogo, miekiemoes has an excellent writeup here

Another excellent article by Bill Castner is located here.

There are file/folder dates 20 years into the future.

Have you changed your time setting 20 years in the future at some time and why?

Note that I have been using another pc to communicate to mwb for this whole time as the infected pc would not allow me to post to mwb.

Otherwise the pc reboots, looks "normal", ran a mwb quick scan and copies files to a memory stick.

Are you able to got to other sites on Interenet with this computer?

If you haven't done this already do so:

Download Flash_Disinfector.exe by sUBs from >here< and save it to your desktop.

  • Double-click Flash_Disinfector.exe to run it and follow any prompts that may appear.
  • The utility may ask you to insert your flash drive and/or other removable drives including your mobile phone. Please do so and allow the utility to clean up those drives as well.
  • Wait until it has finished scanning and then exit the program.
  • Reboot your computer when done.

Note: Flash_Disinfector will create a hidden folder named autorun.inf in each partition and every USB drive plugged in when you ran it. Don't delete this folder...it will help protect your drives from future infection.

Step 1.

Uninstall unwanted programs:

Please go to Start > Control Panel > Add/Remove Programs and remove the following (if present):

Antivirus 2010

Step 2.

OTL-fix:

Run OTL.exe

  • Under the Custom Scans/Fixes box at the bottom, paste in the following
    :OTL
    IE - HKU\.DEFAULT\..\URLSearchHook: {37D2CDBF-2AF4-44AA-8113-BD0D2DA3C2B8} - Reg Error: Key error. File not found
    IE - HKU\S-1-5-18\..\URLSearchHook: {37D2CDBF-2AF4-44AA-8113-BD0D2DA3C2B8} - Reg Error: Key error. File not found
    IE - HKU\S-1-5-19\..\URLSearchHook: {37D2CDBF-2AF4-44AA-8113-BD0D2DA3C2B8} - Reg Error: Key error. File not found
    IE - HKU\S-1-5-20\..\URLSearchHook: {37D2CDBF-2AF4-44AA-8113-BD0D2DA3C2B8} - Reg Error: Key error. File not found
    O3 - HKLM\..\Toolbar: (no name) - {F5735C15-1FB2-41FE-BA12-242757E69DDE} - No CLSID value found.
    O3 - HKLM\..\Toolbar: (no name) - Locked - No CLSID value found.
    :Commands
    [purity]
    [emptytemp]
    [emptyflash]


  • Then click the Run Fix button at the top
  • Let the program run unhindered, reboot when it is done
  • Then post the OTL fixlog

Step 3.

CFScript:

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the codebox below into it:

File::
c:\documents and settings\express\Application Data\hngmfc.dat
c:\documents and settings\express\Local Settings\Application Data\Bruki.dat
c:\windows\Bruki.dat
RenV::
c:\program files\Verizon\McciTrayApp .exe
c:\windows\SYSTEM32\internat .exe
Driver::
abtjxmb

Save this as CFScript.txt, in the same location as ComboFix.exe

CFScriptB-4.gif

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

Step 4.

Filescan:

  • Using Internet Explorer please go to VirSCAN.org FREE on-line scan service
  • Copy and paste the following file path into the "Suspicious files to scan"box on the top of the page:
    • C:\WINDOWS\System32\mszmgeke.dll

    [*] Click on the Upload button

    [*] Once the Scan is completed, click on the "Copy to Clipboard" button. This will copy the link of the report into the Clipboard.

    [*] Paste the contents of the Clipboard in your next reply.

Do the same with this:

  • C:\Documents and Settings\All Users\Application Data\35VhTbUFv.dat

Step 5.

OTL-scan:

  • Double click on OTL to run it. Make sure all other windows are closed and to let it run uninterrupted.
  • When the window appears, untick the box beside Scan All Users at the top.
  • Underneath the option File Scans tick the boxes beside Use Company Name WhiteList, Skip Microsoft Files, LOP Check, Purity Check.
  • Under the Custom Scan box paste this in

    C:\Program Apps\*.*

    c:\documents and settings\express\*.


  • Click the Run Scan button. The scan wont take long.
    • When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
    • Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post them if you need to start a new topic.

Step 6.

MBRCheck:

Please download MBRCheck.exe to your Desktop. Run the application.

If no infection is found, it will produce a report on the desktop. Post that report in your next reply.

If an infection is found, you will be presented with the following dialog:

Enter 'Y' and hit ENTER for more options, or 'N' to exit:

Type N and press Enter. A report will be produced on the desktop. Post that report in your next reply.

Step 7.

Things I would like to see in your reply:

Please use more than one post if needed.

  • Answer to the questions in the beginning of this post.
  • Info on if you managed to uninstall Antivirus 2010 in step 1.
  • The content of the fixlog from OTL in step 2.
  • The content of C:\ComboFix.txt in step 3.
  • The results from the filescans in step 4.
  • The content of OTL.txt in step 5
  • The content of the report from MBRCheck in step 6.

Link to post
Share on other sites

Something I should point out, regarding CCleaner and similar products

It's not recommended to use of registry cleaners. These often cause more problems than they fix. One of the Experts here at Geekstogo, miekiemoes has an excellent writeup here

Another excellent article by Bill Castner is located here.

There are file/folder dates 20 years into the future.

Have you changed your time setting 20 years in the future at some time and why?

Are you able to got to other sites on Interenet with this computer?

If you haven't done this already do so:

Download Flash_Disinfector.exe by sUBs from >here< and save it to your desktop.

  • Double-click Flash_Disinfector.exe to run it and follow any prompts that may appear.
  • The utility may ask you to insert your flash drive and/or other removable drives including your mobile phone. Please do so and allow the utility to clean up those drives as well.
  • Wait until it has finished scanning and then exit the program.
  • Reboot your computer when done.

Note: Flash_Disinfector will create a hidden folder named autorun.inf in each partition and every USB drive plugged in when you ran it. Don't delete this folder...it will help protect your drives from future infection.

Step 1.

Uninstall unwanted programs:

Please go to Start > Control Panel > Add/Remove Programs and remove the following (if present):

Antivirus 2010

Step 2.

OTL-fix:

Run OTL.exe

  • Under the Custom Scans/Fixes box at the bottom, paste in the following
    :OTL
    IE - HKU\.DEFAULT\..\URLSearchHook: {37D2CDBF-2AF4-44AA-8113-BD0D2DA3C2B8} - Reg Error: Key error. File not found
    IE - HKU\S-1-5-18\..\URLSearchHook: {37D2CDBF-2AF4-44AA-8113-BD0D2DA3C2B8} - Reg Error: Key error. File not found
    IE - HKU\S-1-5-19\..\URLSearchHook: {37D2CDBF-2AF4-44AA-8113-BD0D2DA3C2B8} - Reg Error: Key error. File not found
    IE - HKU\S-1-5-20\..\URLSearchHook: {37D2CDBF-2AF4-44AA-8113-BD0D2DA3C2B8} - Reg Error: Key error. File not found
    O3 - HKLM\..\Toolbar: (no name) - {F5735C15-1FB2-41FE-BA12-242757E69DDE} - No CLSID value found.
    O3 - HKLM\..\Toolbar: (no name) - Locked - No CLSID value found.
    :Commands
    [purity]
    [emptytemp]
    [emptyflash]


  • Then click the Run Fix button at the top
  • Let the program run unhindered, reboot when it is done
  • Then post the OTL fixlog

Step 3.

CFScript:

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the codebox below into it:

File::
c:\documents and settings\express\Application Data\hngmfc.dat
c:\documents and settings\express\Local Settings\Application Data\Bruki.dat
c:\windows\Bruki.dat
RenV::
c:\program files\Verizon\McciTrayApp .exe
c:\windows\SYSTEM32\internat .exe
Driver::
abtjxmb

Save this as CFScript.txt, in the same location as ComboFix.exe

CFScriptB-4.gif

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

Step 4.

Filescan:

  • Using Internet Explorer please go to VirSCAN.org FREE on-line scan service
  • Copy and paste the following file path into the "Suspicious files to scan"box on the top of the page:
    • C:\WINDOWS\System32\mszmgeke.dll

    [*] Click on the Upload button

    [*] Once the Scan is completed, click on the "Copy to Clipboard" button. This will copy the link of the report into the Clipboard.

    [*] Paste the contents of the Clipboard in your next reply.

Do the same with this:

  • C:\Documents and Settings\All Users\Application Data\35VhTbUFv.dat

Step 5.

OTL-scan:

  • Double click on OTL to run it. Make sure all other windows are closed and to let it run uninterrupted.
  • When the window appears, untick the box beside Scan All Users at the top.
  • Underneath the option File Scans tick the boxes beside Use Company Name WhiteList, Skip Microsoft Files, LOP Check, Purity Check.
  • Under the Custom Scan box paste this in

    C:\Program Apps\*.*

    c:\documents and settings\express\*.


  • Click the Run Scan button. The scan wont take long.
    • When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
    • Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post them if you need to start a new topic.

Step 6.

MBRCheck:

Please download MBRCheck.exe to your Desktop. Run the application.

If no infection is found, it will produce a report on the desktop. Post that report in your next reply.

If an infection is found, you will be presented with the following dialog:

Type N and press Enter. A report will be produced on the desktop. Post that report in your next reply.

Step 7.

Things I would like to see in your reply:

Please use more than one post if needed.

  • Answer to the questions in the beginning of this post.
  • Info on if you managed to uninstall Antivirus 2010 in step 1.
  • The content of the fixlog from OTL in step 2.
  • The content of C:\ComboFix.txt in step 3.
  • The results from the filescans in step 4.
  • The content of OTL.txt in step 5
  • The content of the report from MBRCheck in step 6.

Link to post
Share on other sites

heir

I am at my workplace and quickly looked over your most current instructions.

Answer 1: The 20 year date was a mistake made on installation of windows.

Answer 2: The infected PC can access nothing on the internet. IE comes up with a "connection problem" error and that is as far as it gets. As I said previously mwb and avira cannot connect for updated either. This happened after running the last instructions of tdssKiller and Combofix.

From looking at your instructions it appears that I can do most of this with the applications already downloaded on the infected PC or by walking the apps, text files, and dll's between my good home pc and the infected one. Is this technique ok for step 4?

One question. I downloaded MBRcheck.exe to my memory stick here at work for later installation on the infected PC. When I tried to download Flash_Disinfector.exe my work PC would not allow it with the explaination that is a forbidden site. Should I assume that the IT department at work is just being overcautious and use my good home computer to download the app to a memory stick and walk it to the infected pc?

Thanks

Link to post
Share on other sites

Answer 1: The 20 year date was a mistake made on installation of windows.
OK. Asked cause sometimes malware behaves like that.
From looking at your instructions it appears that I can do most of this with the applications already downloaded on the infected PC or by walking the apps, text files, and dll's between my good home pc and the infected one. Is this technique ok for step 4?
No, skip step 4 until you have access to Internet from that computer.
Answer 2: The infected PC can access nothing on the internet. IE comes up with a "connection problem" error and that is as far as it gets. As I said previously mwb and avira cannot connect for updated either. This happened after running the last instructions of tdssKiller and Combofix.
Sometimes Combofix can cause this. It can be fixed though. Goto this userguide. At the bottom is instructions on how to restore the connection to Internet. Try restoring it and let me know if you managed to do so.
One question. I downloaded MBRcheck.exe to my memory stick here at work for later installation on the infected PC. When I tried to download Flash_Disinfector.exe my work PC would not allow it with the explaination that is a forbidden site. Should I assume that the IT department at work is just being overcautious and use my good home computer to download the app to a memory stick and walk it to the infected pc?
For some reason they've blocked that site. Don't now why though. Just use your good home computer.

What's important is that you disinfect the memory-stick you are using to transfer files back and forth from the infected computer. Run Flash_disinfector.exe on the computer you use to download it. Then it can be used to transfer files. This is to prevent any infection from spreading to other computers by jumping to that memory-stick (some infections do).

I'll check in again tomorrow morning (my time GMT+1)

EDIT: added the link to the user guide

Link to post
Share on other sites

heir

not much luck today.

Could not get flash_disinfector.exe to run on my "non infected" pc (windows vista).

now on to the "infected pc"

- Internet connection

Could not repair the net connection.

start-control panel-net comm - right click & select repair

get the following "windows could not finish repairing...failed to query tcp/ip settings of the connection. cannot proceed.

- step 1; uninstal antivirus 2010

would not un-install and get the following message

"an error accured trying to remove... you do not have access to \\ \globalroot\systemaroot\system32\userinit.exe

- step 2; run otl

ran otl and will include results below.

- step 3; cfs script

combofix starts running the script then pops up a window

"combofix has detected rootkit activity and must reboot"

click ok and let reboot.

when get back into a blue dos window appears that says

"please wait" "combofix is preparing to run"

I wait for 20 minutes then kill this window after which i get another window that is titled "microsoft visual c++ runtime library"

and says "runtime error. program:...ommonFiles\RoxWatchTray9.exe" "app has requested the runtime to terminate in an unusual way. please contact the app support team for more information"

I then restart the pc and as it is shutting down i get the following two programs that are running and i click the "end now" button

- end maxblast monitor

- end sysfader

heres the otl results

All processes killed

========== OTL ==========

Registry value HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\URLSearchHooks\\{37D2CDBF-2AF4-44AA-8113-BD0D2DA3C2B8} deleted successfully.

Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{37D2CDBF-2AF4-44AA-8113-BD0D2DA3C2B8}\ not found.

Registry value HKEY_USERS\S-1-5-18\Software\Microsoft\Internet Explorer\URLSearchHooks\\{37D2CDBF-2AF4-44AA-8113-BD0D2DA3C2B8} not found.

Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{37D2CDBF-2AF4-44AA-8113-BD0D2DA3C2B8}\ not found.

Registry value HKEY_USERS\S-1-5-19\Software\Microsoft\Internet Explorer\URLSearchHooks\\{37D2CDBF-2AF4-44AA-8113-BD0D2DA3C2B8} deleted successfully.

Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{37D2CDBF-2AF4-44AA-8113-BD0D2DA3C2B8}\ not found.

Registry value HKEY_USERS\S-1-5-20\Software\Microsoft\Internet Explorer\URLSearchHooks\\{37D2CDBF-2AF4-44AA-8113-BD0D2DA3C2B8} deleted successfully.

Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{37D2CDBF-2AF4-44AA-8113-BD0D2DA3C2B8}\ not found.

Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Toolbar\\{F5735C15-1FB2-41FE-BA12-242757E69DDE} deleted successfully.

Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{F5735C15-1FB2-41FE-BA12-242757E69DDE}\ not found.

Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Toolbar\\Locked not found.

========== COMMANDS ==========

[EMPTYTEMP]

User: Administrator

->Temp folder emptied: 0 bytes

->Temporary Internet Files folder emptied: 67 bytes

User: All Users

User: Default User

->Temp folder emptied: 0 bytes

->Temporary Internet Files folder emptied: 67 bytes

User: express

->Temp folder emptied: 0 bytes

->Temporary Internet Files folder emptied: 67 bytes

->Java cache emptied: 0 bytes

->Flash cache emptied: 489 bytes

User: LocalService

->Temp folder emptied: 0 bytes

->Temporary Internet Files folder emptied: 245894 bytes

->Flash cache emptied: 1366 bytes

User: NetworkService

->Temp folder emptied: 0 bytes

->Temporary Internet Files folder emptied: 1310854 bytes

->Flash cache emptied: 66800 bytes

User: Richard

->Temp folder emptied: 715297 bytes

->Temporary Internet Files folder emptied: 239128 bytes

->Java cache emptied: 0 bytes

->Flash cache emptied: 2312 bytes

%systemdrive% .tmp files removed: 0 bytes

%systemroot% .tmp files removed: 10141204 bytes

%systemroot%\System32 .tmp files removed: 2577 bytes

%systemroot%\System32\dllcache .tmp files removed: 0 bytes

%systemroot%\System32\drivers .tmp files removed: 0 bytes

Windows Temp folder emptied: 0 bytes

Session Manager Temp folder emptied: 0 bytes

Session Manager Tmp folder emptied: 0 bytes

%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes

%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 558488 bytes

RecycleBin emptied: 0 bytes

Total Files Cleaned = 13.00 mb

[EMPTYFLASH]

User: Administrator

User: All Users

User: Default User

User: express

->Flash cache emptied: 0 bytes

User: LocalService

->Flash cache emptied: 0 bytes

User: NetworkService

->Flash cache emptied: 0 bytes

User: Richard

->Flash cache emptied: 0 bytes

Total Flash Files Cleaned = 0.00 mb

OTL by OldTimer - Version 3.2.14.1 log created on 09272010_185429

Files\Folders moved on Reboot...

Registry entries deleted on Reboot...

Link to post
Share on other sites

heir

attached below are the text file results of the otl and mbrcheck scans.

on the subject of ccleaner.

I like the app as it is a "one stop" way to clear out all the lingering stuff microsoft leaves on the pc.

I unchecked all the registry section of the app and minimized the cleaning to stuff that I know about.

under these conditions would there still be reasons not to use it?

Thanks

OTL logfile created on: 9/28/2010 6:21:18 AM - Run 2

OTL by OldTimer - Version 3.2.14.1 Folder = C:\Documents and Settings\Richard\Desktop

Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation

Internet Explorer (Version = 8.0.6001.18702)

Locale: 00000409 | Country: United States | Language: enu | Date Format: M/d/yyyy

2.00 Gb Total Physical Memory | 2.00 Gb Available Physical Memory | 78.00% Memory free

4.00 Gb Paging File | 4.00 Gb Available in Paging File | 91.00% Paging File free

Paging file location(s): c:\pagefile.sys 2046 4092 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files

Drive C: | 149.05 Gb Total Space | 130.91 Gb Free Space | 87.83% Space Free | Partition Type: NTFS

D: Drive not present or media not loaded

E: Drive not present or media not loaded

F: Drive not present or media not loaded

G: Drive not present or media not loaded

H: Drive not present or media not loaded

I: Drive not present or media not loaded

Computer Name: X9R2D1

Current User Name: Richard

Logged in as Administrator.

Current Boot Mode: Normal

Scan Mode: Current user

Company Name Whitelist: On

Skip Microsoft Files: On

File Age = 30 Days

Output = Standard

========== Processes (SafeList) ==========

PRC - [2010/09/26 15:03:28 | 000,575,488 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Richard\Desktop\OTL.exe

PRC - [2010/06/16 23:24:52 | 000,040,368 | ---- | M] (Adobe Systems Incorporated) -- C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe

PRC - [2010/04/22 09:31:17 | 000,267,432 | ---- | M] (Avira GmbH) -- C:\Program Files\Avira\AntiVir Desktop\avguard.exe

PRC - [2010/03/02 10:28:31 | 000,282,792 | ---- | M] (Avira GmbH) -- C:\Program Files\Avira\AntiVir Desktop\avgnt.exe

PRC - [2010/02/24 09:28:09 | 000,135,336 | ---- | M] (Avira GmbH) -- C:\Program Files\Avira\AntiVir Desktop\sched.exe

PRC - [2010/01/14 21:11:00 | 000,076,968 | ---- | M] (Avira GmbH) -- C:\Program Files\Avira\AntiVir Desktop\avshadow.exe

PRC - [2008/04/14 05:42:20 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe

PRC - [2007/04/20 09:09:58 | 001,945,712 | ---- | M] (Acronis) -- C:\Program Files\Maxtor\MaxBlast\TimounterMonitor.exe

PRC - [2007/04/20 09:03:08 | 000,149,024 | ---- | M] (Acronis) -- C:\Program Files\Common Files\Maxtor\Schedule2\schedhlp.exe

PRC - [2007/04/20 09:03:02 | 000,411,168 | ---- | M] (Acronis) -- C:\Program Files\Common Files\Maxtor\Schedule2\schedul2.exe

PRC - [2007/04/20 08:59:30 | 001,169,720 | ---- | M] (Maxtor) -- C:\Program Files\Maxtor\MaxBlast\MaxBlastMonitor.exe

PRC - [2007/02/12 09:05:00 | 001,121,016 | ---- | M] (Roxio) -- C:\Program Files\Roxio\Drag-to-Disc\DrgToDsc.exe

PRC - [2007/01/17 03:23:38 | 000,109,304 | ---- | M] () -- C:\Program Files\Roxio\CinePlayer\DMXLauncher.exe

PRC - [2006/11/16 14:42:52 | 000,577,536 | R--- | M] (Realtek Semiconductor Corp.) -- C:\WINDOWS\SOUNDMAN.EXE

PRC - [1999/03/17 22:38:10 | 008,798,260 | R--- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft Office\Office\WINWORD.EXE

========== Modules (SafeList) ==========

MOD - [2010/09/26 15:03:28 | 000,575,488 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Richard\Desktop\OTL.exe

MOD - [2008/04/14 05:40:22 | 000,110,592 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\SYSTEM32\msscript.ocx

========== Win32 Services (SafeList) ==========

SRV - File not found [On_Demand | Stopped] -- C:\Program Files\iPod\bin\iPodService.exe -- (iPod Service)

SRV - File not found [Auto | Stopped] -- C:\DOCUME~1\Richard\LOCALS~1\Temp\AVSETUP_4a41a030\basic\avupgsvc.exe -- (AntiVirUpgradeService)

SRV - [2010/04/22 09:31:17 | 000,267,432 | ---- | M] (Avira GmbH) [Auto | Running] -- C:\Program Files\Avira\AntiVir Desktop\avguard.exe -- (AntiVirService)

SRV - [2010/02/24 09:28:09 | 000,135,336 | ---- | M] (Avira GmbH) [Auto | Running] -- C:\Program Files\Avira\AntiVir Desktop\sched.exe -- (AntiVirSchedulerService)

SRV - [2008/04/14 05:42:40 | 000,050,176 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\WINDOWS\SYSTEM32\utilman.exe -- (UtilMan)

SRV - [2007/04/20 09:03:02 | 000,411,168 | ---- | M] (Acronis) [Auto | Running] -- C:\Program Files\Common Files\Maxtor\Schedule2\schedul2.exe -- (AcrSch2Svc)

========== Driver Services (SafeList) ==========

DRV - File not found [Kernel | On_Demand | Stopped] -- C:\PROGRA~1\COMMON~1\Motive\MRENDIS5.SYS -- (MRENDIS5)

DRV - File not found [Kernel | On_Demand | Stopped] -- C:\PROGRA~1\COMMON~1\Motive\MREMPR5.SYS -- (MREMPR5)

DRV - File not found [Kernel | On_Demand | Stopped] -- D:\INSTALL\GMSIPCI.SYS -- (GMSIPCI)

DRV - File not found [Kernel | On_Demand | Stopped] -- C:\WINDOWS\System32\DRIVERS\fetnd5.sys -- (FETNDIS)

DRV - File not found [Kernel | On_Demand | Stopped] -- C:\DOCUME~1\Richard\LOCALS~1\Temp\catchme.sys -- (catchme)

DRV - File not found [Kernel | On_Demand | Stopped] -- C:\DOCUME~1\Richard\LOCALS~1\Temp\~Af26490\Upgrade\atidgllk.sys -- (atidgllk)

DRV - [2010/08/08 21:16:14 | 000,020,096 | ---- | M] (Printing Communications Assoc., Inc. (PCAUSA)) [Kernel | On_Demand | Stopped] -- C:\Program Files\Common Files\Motive\MRESP50.sys -- (MRESP50)

DRV - [2010/08/08 21:15:52 | 000,021,248 | ---- | M] (Printing Communications Assoc., Inc. (PCAUSA)) [Kernel | On_Demand | Stopped] -- C:\Program Files\Common Files\Motive\MREMP50.sys -- (MREMP50)

DRV - [2010/03/01 09:05:24 | 000,124,784 | ---- | M] (Avira GmbH) [Kernel | System | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\avipbb.sys -- (avipbb)

DRV - [2010/02/16 13:24:01 | 000,060,936 | ---- | M] (Avira GmbH) [File_System | Auto | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\avgntflt.sys -- (avgntflt)

DRV - [2009/05/11 11:49:19 | 000,011,608 | ---- | M] (Avira GmbH) [Kernel | System | Running] -- C:\Program Files\Avira\AntiVir Desktop\avgio.sys -- (avgio)

DRV - [2009/05/11 09:12:49 | 000,028,520 | ---- | M] (Avira GmbH) [Kernel | System | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\ssmdrv.sys -- (ssmdrv)

DRV - [2008/04/14 01:15:14 | 000,060,032 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\SYSTEM32\DRIVERS\usbaudio.sys -- (usbaudio) USB Audio Driver (WDM)

DRV - [2008/02/15 18:50:28 | 000,392,320 | ---- | M] (Acronis) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\timntr.sys -- (timounter)

DRV - [2008/02/15 18:50:28 | 000,032,768 | ---- | M] (Acronis) [File_System | Auto | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\tifsfilt.sys -- (tifsfilter)

DRV - [2008/02/15 18:50:24 | 000,120,992 | ---- | M] (Acronis) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\snapman.sys -- (snapman)

DRV - [2007/09/28 20:05:58 | 002,456,064 | ---- | M] (ATI Technologies Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\ati2mtag.sys -- (ati2mtag)

DRV - [2007/02/09 12:34:16 | 000,051,768 | ---- | M] (Roxio) [File_System | Auto | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\DRVNDDM.SYS -- (DRVNDDM)

DRV - [2007/02/08 20:05:30 | 000,028,120 | ---- | M] (Roxio) [File_System | System | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\DLARTL_M.SYS -- (DLARTL_M)

DRV - [2007/02/08 20:05:30 | 000,012,856 | ---- | M] (Roxio) [File_System | System | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\DLACDBHM.SYS -- (DLACDBHM)

DRV - [2007/01/10 08:19:42 | 000,099,848 | ---- | M] (Sonic Solutions) [Kernel | Boot | Running] -- C:\WINDOWS\system32\drivers\drvmcdb.sys -- (DRVMCDB)

DRV - [2006/12/28 23:48:06 | 004,026,112 | R--- | M] (Realtek Semiconductor Corp.) [Kernel | On_Demand | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\ALCXWDM.SYS -- (ALCXWDM) Service for Realtek AC97 Audio (WDM)

DRV - [2006/12/13 12:19:16 | 000,050,688 | ---- | M] (Sonic Solutions) [File_System | Disabled | Stopped] -- C:\WINDOWS\SYSTEM32\DRIVERS\RxFilter.sys -- (RxFilter)

DRV - [2006/11/01 08:59:36 | 000,009,400 | ---- | M] (Roxio) [File_System | Auto | Running] -- C:\WINDOWS\SYSTEM32\DLA\DLADResM.SYS -- (DLADResM)

DRV - [2006/11/01 08:59:10 | 000,094,648 | ---- | M] (Roxio) [File_System | Auto | Running] -- C:\WINDOWS\SYSTEM32\DLA\DLAUDFAM.SYS -- (DLAUDFAM)

DRV - [2006/11/01 08:59:10 | 000,035,064 | ---- | M] (Roxio) [File_System | Auto | Running] -- C:\WINDOWS\SYSTEM32\DLA\DLABMFSM.SYS -- (DLABMFSM)

DRV - [2006/11/01 08:59:08 | 000,098,104 | ---- | M] (Roxio) [File_System | Auto | Running] -- C:\WINDOWS\SYSTEM32\DLA\DLAUDF_M.SYS -- (DLAUDF_M)

DRV - [2006/11/01 08:59:06 | 000,026,744 | ---- | M] (Roxio) [File_System | Auto | Running] -- C:\WINDOWS\SYSTEM32\DLA\DLAOPIOM.SYS -- (DLAOPIOM)

DRV - [2006/11/01 08:59:04 | 000,032,472 | ---- | M] (Roxio) [File_System | Auto | Running] -- C:\WINDOWS\SYSTEM32\DLA\DLABOIOM.SYS -- (DLABOIOM)

DRV - [2006/11/01 08:59:02 | 000,104,760 | ---- | M] (Roxio) [File_System | Auto | Running] -- C:\WINDOWS\SYSTEM32\DLA\DLAIFS_M.SYS -- (DLAIFS_M)

DRV - [2006/11/01 08:59:02 | 000,014,520 | ---- | M] (Roxio) [File_System | Auto | Running] -- C:\WINDOWS\SYSTEM32\DLA\DLAPoolM.SYS -- (DLAPoolM)

DRV - [2006/08/07 01:39:24 | 000,018,944 | R--- | M] (NVIDIA Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\nvnetbus.sys -- (nvnetbus)

DRV - [2006/08/07 01:39:22 | 000,052,736 | R--- | M] (NVIDIA Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\NVENETFD.sys -- (NVENETFD)

DRV - [2004/08/03 22:29:56 | 001,897,408 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\SYSTEM32\DRIVERS\nv4_mini.sys -- (nv)

DRV - [2003/06/19 05:05:04 | 000,049,776 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\SYSTEM32\DRIVERS\usbhub20.sys -- (usbhub20)

DRV - [2002/08/30 05:58:32 | 000,026,921 | R--- | M] (Intel Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\SYSTEM32\DRIVERS\IntelC53.sys -- (IntelC53)

DRV - [2002/08/30 05:58:04 | 002,166,454 | R--- | M] (Intel Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\SYSTEM32\DRIVERS\IntelC51.sys -- (IntelC51)

DRV - [2002/08/30 05:49:48 | 000,447,921 | R--- | M] (Intel Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\SYSTEM32\DRIVERS\IntelC52.sys -- (IntelC52) Intel®

DRV - [2001/08/17 13:57:38 | 000,016,128 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\SYSTEM32\DRIVERS\MODEMCSA.sys -- (MODEMCSA)

========== Standard Registry (SafeList) ==========

========== Internet Explorer ==========

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = en-us

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = 62 F6 31 65 EF 30 CB 01 [binary data]

IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

FF - HKLM\software\mozilla\Firefox\extensions\\{A7C70835-6D47-4400-A403-BEE1E7B7DEE9}: C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\{A7C70835-6D47-4400-A403-BEE1E7B7DEE9}\ [2010/02/14 12:00:22 | 000,000,000 | ---D | M]

O1 HOSTS File: ([2010/09/26 16:55:58 | 000,000,027 | ---- | M]) - C:\WINDOWS\SYSTEM32\DRIVERS\etc\hosts

O1 - Hosts: 127.0.0.1 localhost

O3 - HKLM\..\Toolbar: (Easy-WebPrint) - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll ()

O3 - HKLM\..\Toolbar: (Yahoo! Toolbar) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (Yahoo! Inc.)

O3 - HKCU\..\Toolbar\WebBrowser: (Radio) - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM32\msdxm.ocx ()

O3 - HKCU\..\Toolbar\WebBrowser: (Yahoo! Toolbar) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (Yahoo! Inc.)

O4 - HKLM..\Run: [Acronis Scheduler2 Service] C:\Program Files\Common Files\Maxtor\Schedule2\schedhlp.exe (Acronis)

O4 - HKLM..\Run: [AcronisTimounterMonitor] C:\Program Files\Maxtor\MaxBlast\TimounterMonitor.exe (Acronis)

O4 - HKLM..\Run: [Adobe Reader Speed Launcher] C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe (Adobe Systems Incorporated)

O4 - HKLM..\Run: [avgnt] C:\Program Files\Avira\AntiVir Desktop\avgnt.exe (Avira GmbH)

O4 - HKLM..\Run: [DMXLauncher] C:\Program Files\Roxio\CinePlayer\DMXLauncher.exe ()

O4 - HKLM..\Run: [MaxBlastMonitor.exe] C:\Program Files\Maxtor\MaxBlast\MaxBlastMonitor.exe (Maxtor)

O4 - HKLM..\Run: [RoxioDragToDisc] C:\Program Files\Roxio\Drag-to-Disc\DrgToDsc.exe (Roxio)

O4 - HKLM..\Run: [RoxWatchTray] C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe (Sonic Solutions)

O4 - HKLM..\Run: [soundMan] C:\WINDOWS\SOUNDMAN.EXE (Realtek Semiconductor Corp.)

O4 - HKLM..\Run: [startCCC] C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe File not found

O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Infodelivery present

O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present

O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Toolbars present

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoCDBurning = 0

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0

O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present

O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323

O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: CDRAutoRun = [binary data]

O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863

O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0

O8 - Extra context menu item: Easy-WebPrint Add To Print List - C:\Program Files\Canon\Easy-WebPrint\Resource.dll ()

O8 - Extra context menu item: Easy-WebPrint High Speed Print - C:\Program Files\Canon\Easy-WebPrint\Resource.dll ()

O8 - Extra context menu item: Easy-WebPrint Preview - C:\Program Files\Canon\Easy-WebPrint\Resource.dll ()

O8 - Extra context menu item: Easy-WebPrint Print - C:\Program Files\Canon\Easy-WebPrint\Resource.dll ()

O9 - Extra 'Tools' menuitem : Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - Reg Error: Key error. File not found

O15 - HKCU\..Trusted Domains: yahoo.com ([mail] https in Trusted sites)

O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} https://activatemyfios.verizon.net/sdcCommo...20Installer.cab (Support.com Configuration Class)

O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} C:\Program Files\Yahoo!\Common\Yinsthelper.dll (Installation Support)

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} http://www.update.microsoft.com/windowsupd...b?1232414532531 (WUWebControl Class)

O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_21)

O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} http://v4.windowsupdate.microsoft.com/CAB/...8865.9233912037 (Reg Error: Key error.)

O16 - DPF: {C606BA60-AB76-48B6-96A7-2C4D5C386F70} http://www.verizon.net/checkmypc/includes/MotivePreQual.cab (PreQualifier Class)

O16 - DPF: {C7DEDA04-2FFF-4B81-AE66-0A0E0EF4AD2F} http://bartelldrugs.lifepics.com/net/Uploa...PUploader57.cab (Image Uploader Control)

O16 - DPF: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_21)

O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_21)

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab (Shockwave Flash Object)

O16 - DPF: DirectAnimation Java Classes file://C:\WINDOWS\SYSTEM\dajava.cab (Reg Error: Key error.)

O16 - DPF: Internet Explorer Classes for Java file://C:\WINDOWS\SYSTEM\iejava.cab (Reg Error: Key error.)

O16 - DPF: Microsoft XML Parser for Java file://C:\WINDOWS\Java\classes\xmldso4.cab (Reg Error: Key error.)

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.1

O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)

O20 - Winlogon\Notify\AtiExtEvent: DllName - Ati2evxx.dll - C:\WINDOWS\System32\ati2evxx.dll (ATI Technologies Inc.)

O20 - Winlogon\Notify\wzcnotif: DllName - wzcdlg.dll - C:\WINDOWS\System32\wzcdlg.dll (Microsoft Corporation)

O24 - Desktop WallPaper: C:\Documents and Settings\Richard\Local Settings\Application Data\Microsoft\Wallpaper1.bmp

O24 - Desktop BackupWallPaper: C:\Documents and Settings\Richard\Local Settings\Application Data\Microsoft\Wallpaper1.bmp

O30 - LSA: Authentication Packages - (relog_ap) - C:\WINDOWS\System32\relog_ap.dll (Acronis)

O32 - HKLM CDRom: AutoRun - 1

O32 - AutoRun File - [2007/06/30 12:39:32 | 000,000,259 | -H-- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]

O34 - HKLM BootExecute: (autocheck autochk *) - File not found

O35 - HKLM\..comfile [open] -- "%1" %*

O35 - HKLM\..exefile [open] -- "%1" %*

O37 - HKLM\...com [@ = comfile] -- "%1" %*

O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2030/11/30 07:18:47 | 000,289,280 | ---- | C] (InstallShield Corporation, Inc.) -- C:\WINDOWS\uninst.exe

[2030/11/30 07:16:49 | 000,000,000 | ---D | C] -- C:\_Susan

[2030/11/30 07:12:40 | 000,000,000 | ---D | C] -- C:\_Richard

[2030/11/30 06:56:01 | 000,303,616 | ---- | C] (SUNIX CO., LTD.) -- C:\WINDOWS\System32\SPCIUNI.EXE

[2030/11/30 06:56:01 | 000,013,232 | ---- | C] (SUNIX CO., LTD.) -- C:\WINDOWS\System\COMUI.DLL

[2030/11/30 06:56:01 | 000,005,216 | ---- | C] (SUNIX CO., LTD.) -- C:\WINDOWS\System\PARAUI.DLL

[2030/11/30 04:04:56 | 000,000,000 | ---D | C] -- C:\WINDOWS\nview

[2030/11/30 04:04:28 | 000,000,000 | ---D | C] -- C:\WINDOWS\System\NVSYS

[2030/11/30 04:04:18 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\InstallShield

[2030/11/30 03:49:46 | 000,000,000 | ---D | C] -- C:\Program Apps

[2030/11/30 03:40:06 | 000,000,000 | ---D | C] -- C:\Program Files\Web Publish

[2030/11/30 03:40:02 | 000,000,000 | -HSD | C] -- C:\WINDOWS\Installer

[2030/11/30 03:39:35 | 000,000,000 | ---D | C] -- C:\Program Files\Microsoft Visual Studio

[2030/11/30 03:39:33 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Designer

[2030/11/30 03:38:53 | 000,000,000 | ---D | C] -- C:\Program Files\Microsoft FrontPage

[2030/11/30 03:38:29 | 000,000,000 | ---D | C] -- C:\WINDOWS\Msagent

[2030/11/30 03:37:21 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\ODBC

[2030/11/30 03:37:21 | 000,000,000 | ---D | C] -- C:\Program Files\Microsoft Office

[2030/11/30 02:48:33 | 000,000,000 | ---D | C] -- C:\WINDOWS\System\CatRoot

[2030/11/30 02:48:21 | 000,000,000 | ---D | C] -- C:\Program Files\DirectX

[2030/11/30 02:47:40 | 000,000,000 | --SD | C] -- C:\WINDOWS\Downloaded Program Files

[2030/11/30 02:47:39 | 000,000,000 | R--D | C] -- C:\WINDOWS\Offline Web Pages

[2030/11/30 02:47:17 | 000,000,000 | ---D | C] -- C:\Program Files\Uninstall Information

[2030/11/30 02:46:48 | 000,000,000 | ---D | C] -- C:\WINDOWS\All Users

[2010/09/27 19:13:39 | 000,000,000 | --SD | C] -- C:\ComboFix

[2010/09/27 18:54:29 | 000,000,000 | ---D | C] -- C:\_OTL

[2010/09/26 17:10:27 | 000,000,000 | -HSD | C] -- C:\RECYCLER

[2010/09/26 16:35:47 | 000,000,000 | RHSD | C] -- C:\cmdcons

[2010/09/26 16:33:55 | 000,212,480 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWXCACLS.exe

[2010/09/26 16:33:55 | 000,161,792 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWREG.exe

[2010/09/26 16:33:55 | 000,136,704 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWSC.exe

[2010/09/26 16:33:55 | 000,031,232 | ---- | C] (NirSoft) -- C:\WINDOWS\NIRCMD.exe

[2010/09/26 16:33:39 | 000,000,000 | ---D | C] -- C:\WINDOWS\ERDNT

[2010/09/26 16:32:55 | 000,000,000 | ---D | C] -- C:\Qoobox

[2010/09/26 16:19:43 | 000,000,000 | RH-D | C] -- C:\Documents and Settings\Richard\Recent

[2010/09/26 15:03:27 | 000,575,488 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Richard\Desktop\OTL.exe

[2010/09/25 17:29:16 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Sun

[2010/09/25 17:29:15 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Java

[2010/09/25 17:28:28 | 000,000,000 | ---D | C] -- C:\Program Files\Java

[2010/09/25 16:40:14 | 000,000,000 | ---D | C] -- C:\Program Files\Canon

[2010/09/25 16:21:42 | 000,000,000 | ---D | C] -- C:\Documents and Settings\LocalService\Application Data\Macromedia

[2010/09/20 06:55:42 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Update

[2010/09/20 05:46:30 | 000,000,000 | ---D | C] -- C:\Program Files\Mozilla Firefox

[2010/09/07 14:44:52 | 001,293,400 | ---- | C] (Kaspersky Lab ZAO) -- C:\Documents and Settings\Richard\Desktop\TDSSKiller.exe

========== Files - Modified Within 30 Days ==========

[2030/12/01 09:39:50 | 000,008,628 | -H-- | M] () -- C:\WINDOWS\System\hpr87r03.GID

[2030/12/01 09:31:40 | 000,008,628 | -H-- | M] () -- C:\WINDOWS\System\hpr87d03.GID

[2030/11/30 07:11:46 | 000,002,006 | ---- | M] () -- C:\WINDOWS\FONTSMRT.INI

[2030/11/30 07:11:44 | 000,047,523 | ---- | M] () -- C:\WINDOWS\HPFNT.$CH

[2030/11/30 07:09:52 | 000,000,004 | ---- | M] () -- C:\WINDOWS\System\DJCP.CFG

[2030/11/30 04:26:14 | 000,000,225 | ---- | M] () -- C:\WINDOWS\TELEPHON.INI

[2030/11/30 02:48:32 | 000,074,777 | ---- | M] () -- C:\WINDOWS\Default.sfc

[2030/11/30 02:48:20 | 000,188,448 | RH-- | M] () -- C:\WINDOWS\HWINFO.DAT

[2030/11/30 02:47:46 | 000,013,122 | -H-- | M] () -- C:\WINDOWS\System\folder.htt

[2030/11/30 02:47:02 | 000,000,000 | ---- | M] () -- C:\WINDOWS\progman.ini

[2010/09/28 06:20:53 | 000,000,162 | -H-- | M] () -- C:\Documents and Settings\Richard\Desktop\~$Btext_monSept27.rtf

[2010/09/28 06:17:24 | 000,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT

[2010/09/28 06:17:20 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat

[2010/09/28 06:17:16 | 2146,881,536 | -HS- | M] () -- C:\hiberfil.sys

[2010/09/27 20:09:37 | 006,291,456 | -H-- | M] () -- C:\Documents and Settings\Richard\NTUSER.DAT

[2010/09/27 20:09:37 | 000,000,178 | -HS- | M] () -- C:\Documents and Settings\Richard\ntuser.ini

[2010/09/27 18:27:20 | 000,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl

[2010/09/27 07:25:30 | 000,009,219 | ---- | M] () -- C:\Documents and Settings\Richard\Desktop\MWBtext_monSept27.rtf

[2010/09/26 17:01:50 | 004,843,436 | -H-- | M] () -- C:\Documents and Settings\Richard\Local Settings\Application Data\IconCache.db

[2010/09/26 16:56:24 | 000,000,401 | ---- | M] () -- C:\WINDOWS\system.ini

[2010/09/26 16:55:58 | 000,000,027 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts

[2010/09/26 16:35:53 | 000,000,327 | RHS- | M] () -- C:\boot.ini

[2010/09/26 16:30:46 | 003,854,198 | R--- | M] () -- C:\Documents and Settings\Richard\Desktop\ComboFix.exe

[2010/09/26 16:24:30 | 001,293,400 | ---- | M] (Kaspersky Lab ZAO) -- C:\Documents and Settings\Richard\Desktop\TDSSKiller.exe

[2010/09/26 16:23:18 | 001,193,882 | ---- | M] () -- C:\Documents and Settings\Richard\Desktop\tdsskiller.zip

[2010/09/26 15:15:26 | 000,133,632 | ---- | M] () -- C:\Documents and Settings\Richard\Desktop\RKUnhookerLE.EXE

[2010/09/26 15:03:28 | 000,575,488 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Richard\Desktop\OTL.exe

[2010/09/26 13:15:08 | 000,001,324 | ---- | M] () -- C:\WINDOWS\System32\d3d9caps.dat

[2010/09/26 13:11:05 | 000,004,678 | ---- | M] () -- C:\WINDOWS\psdxport.ini

[2010/09/26 13:11:05 | 000,000,074 | ---- | M] () -- C:\WINDOWS\psdewin.ini

[2010/09/26 13:01:57 | 000,000,879 | ---- | M] () -- C:\Documents and Settings\Richard\Desktop\WordPad.lnk

[2010/09/25 16:49:12 | 000,002,572 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Word.lnk

[2010/09/25 07:28:26 | 000,000,112 | ---- | M] () -- C:\Documents and Settings\All Users\Application Data\35VhTbUFv.dat

[2010/09/23 16:42:25 | 000,000,246 | ---- | M] () -- C:\Documents and Settings\Richard\Desktop\Shortcut to Security Center.lnk

[2010/09/22 19:23:38 | 000,000,000 | ---- | M] () -- C:\Documents and Settings\Richard\Desktop\defogger_reenable

[2010/09/20 07:10:49 | 000,001,327 | ---- | M] () -- C:\WINDOWS\win.ini

[2010/09/20 07:10:49 | 000,000,211 | ---- | M] () -- C:\Boot.bak

[2010/09/19 14:50:03 | 000,808,368 | ---- | M] () -- C:\Documents and Settings\Richard\Local Settings\Application Data\rx_image.Cache

[2010/09/19 14:50:03 | 000,096,968 | ---- | M] () -- C:\Documents and Settings\Richard\Local Settings\Application Data\rx_audio.Cache

[2010/09/19 13:17:16 | 000,002,568 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Excell.lnk

========== Files Created - No Company Name ==========

[2030/12/01 09:35:41 | 000,008,628 | -H-- | C] () -- C:\WINDOWS\System\hpr87r03.GID

[2030/12/01 09:35:00 | 000,008,628 | -H-- | C] () -- C:\WINDOWS\System\hpr87t03.GID

[2030/12/01 09:33:09 | 000,008,628 | -H-- | C] () -- C:\WINDOWS\System\hpr87h03.GID

[2030/12/01 09:25:13 | 000,008,628 | -H-- | C] () -- C:\WINDOWS\System\hpr87d03.GID

[2030/11/30 07:11:42 | 000,047,523 | ---- | C] () -- C:\WINDOWS\HPFNT.$CH

[2030/11/30 07:09:50 | 000,000,004 | ---- | C] () -- C:\WINDOWS\System\DJCP.CFG

[2030/11/30 06:44:16 | 000,026,930 | -H-- | C] () -- C:\WINDOWS\ttfCache

[2030/11/30 05:01:09 | 000,009,030 | ---- | C] () -- C:\WINDOWS\hh.dat

[2030/11/30 04:25:55 | 000,091,800 | ---- | C] () -- C:\WINDOWS\System\IntelHaM.wwh

[2030/11/30 03:45:35 | 000,002,568 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Excell.lnk

[2030/11/30 03:44:58 | 000,002,572 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Word.lnk

[2030/11/30 03:23:19 | 000,016,384 | ---- | C] () -- C:\WINDOWS\MSIMGSIZ.DAT

[2030/11/30 02:48:31 | 000,074,777 | ---- | C] () -- C:\WINDOWS\Default.sfc

[2030/11/30 02:48:19 | 000,188,448 | RH-- | C] () -- C:\WINDOWS\HWINFO.DAT

[2030/11/30 02:47:45 | 000,021,952 | -H-- | C] () -- C:\Program Files\folder.htt

[2030/11/30 02:47:45 | 000,021,692 | -H-- | C] () -- C:\WINDOWS\System32\folder.htt

[2030/11/30 02:47:45 | 000,021,692 | -H-- | C] () -- C:\WINDOWS\folder.htt

[2030/11/30 02:47:45 | 000,013,122 | -H-- | C] () -- C:\WINDOWS\System\folder.htt

[2010/09/28 06:20:53 | 000,000,162 | -H-- | C] () -- C:\Documents and Settings\Richard\Desktop\~$Btext_monSept27.rtf

[2010/09/27 19:10:15 | 000,009,219 | ---- | C] () -- C:\Documents and Settings\Richard\Desktop\MWBtext_monSept27.rtf

[2010/09/26 16:35:53 | 000,000,211 | ---- | C] () -- C:\Boot.bak

[2010/09/26 16:35:49 | 000,260,272 | RHS- | C] () -- C:\cmldr

[2010/09/26 16:33:55 | 000,256,512 | ---- | C] () -- C:\WINDOWS\PEV.exe

[2010/09/26 16:33:55 | 000,098,816 | ---- | C] () -- C:\WINDOWS\sed.exe

[2010/09/26 16:33:55 | 000,080,412 | ---- | C] () -- C:\WINDOWS\grep.exe

[2010/09/26 16:33:55 | 000,077,312 | ---- | C] () -- C:\WINDOWS\MBR.exe

[2010/09/26 16:33:55 | 000,068,096 | ---- | C] () -- C:\WINDOWS\zip.exe

[2010/09/26 16:30:44 | 003,854,198 | R--- | C] () -- C:\Documents and Settings\Richard\Desktop\ComboFix.exe

[2010/09/26 16:23:18 | 001,193,882 | ---- | C] () -- C:\Documents and Settings\Richard\Desktop\tdsskiller.zip

[2010/09/26 15:15:26 | 000,133,632 | ---- | C] () -- C:\Documents and Settings\Richard\Desktop\RKUnhookerLE.EXE

[2010/09/26 13:01:57 | 000,000,879 | ---- | C] () -- C:\Documents and Settings\Richard\Desktop\WordPad.lnk

[2010/09/25 07:18:37 | 000,000,112 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\35VhTbUFv.dat

[2010/09/23 17:43:39 | 2146,881,536 | -HS- | C] () -- C:\hiberfil.sys

[2010/09/23 16:42:25 | 000,000,246 | ---- | C] () -- C:\Documents and Settings\Richard\Desktop\Shortcut to Security Center.lnk

[2010/09/22 19:23:38 | 000,000,000 | ---- | C] () -- C:\Documents and Settings\Richard\Desktop\defogger_reenable

[2009/10/11 16:24:11 | 000,056,056 | ---- | C] () -- C:\WINDOWS\System32\DLAAPI_W.DLL

[2009/02/20 13:46:51 | 000,096,968 | ---- | C] () -- C:\Documents and Settings\Richard\Local Settings\Application Data\rx_audio.Cache

[2009/01/21 12:44:47 | 000,065,536 | ---- | C] () -- C:\WINDOWS\System32\YCRWin32.dll

[2008/12/23 11:50:42 | 000,808,368 | ---- | C] () -- C:\Documents and Settings\Richard\Local Settings\Application Data\rx_image.Cache

[2008/04/14 05:41:26 | 000,533,568 | ---- | C] () -- C:\WINDOWS\System32\mszmgeke.dll

[2008/02/23 08:49:40 | 000,147,456 | R--- | C] () -- C:\WINDOWS\System32\RTLCPAPI.dll

[2008/02/16 16:38:01 | 000,000,007 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\DragToDiscUserNameD.txt

[2008/02/16 11:16:57 | 000,000,754 | ---- | C] () -- C:\WINDOWS\WORDPAD.INI

[2007/08/17 14:46:37 | 000,003,584 | ---- | C] () -- C:\Documents and Settings\Richard\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini

[2007/08/12 10:45:32 | 000,000,305 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\addr_file.html

[2007/08/11 10:08:08 | 000,001,793 | ---- | C] () -- C:\WINDOWS\System32\fxsperf.ini

[2007/06/30 13:18:23 | 000,007,680 | ---- | C] () -- C:\WINDOWS\System32\CNMVS64.DLL

[2007/06/30 12:43:09 | 000,012,327 | ---- | C] () -- C:\WINDOWS\IOS.INI

[2007/06/30 12:43:09 | 000,007,885 | ---- | C] () -- C:\WINDOWS\NETDET.INI

[2007/06/30 12:43:09 | 000,005,068 | ---- | C] () -- C:\WINDOWS\DELETEFI.INI

[2007/06/30 12:43:09 | 000,004,678 | ---- | C] () -- C:\WINDOWS\psdxport.ini

[2007/06/30 12:43:09 | 000,003,598 | ---- | C] () -- C:\WINDOWS\HTMLHELP.INI

[2007/06/30 12:43:09 | 000,002,006 | ---- | C] () -- C:\WINDOWS\FONTSMRT.INI

[2007/06/30 12:43:09 | 000,001,076 | ---- | C] () -- C:\WINDOWS\HPRDJC03.INI

[2007/06/30 12:43:09 | 000,001,015 | ---- | C] () -- C:\WINDOWS\ODBC.INI

[2007/06/30 12:43:09 | 000,000,865 | ---- | C] () -- C:\WINDOWS\DOSREP.INI

[2007/06/30 12:43:09 | 000,000,804 | ---- | C] () -- C:\WINDOWS\cdplayer.ini

[2007/06/30 12:43:09 | 000,000,787 | ---- | C] () -- C:\WINDOWS\SCANREG.INI

[2007/06/30 12:43:09 | 000,000,656 | ---- | C] () -- C:\WINDOWS\TRPMAKER.INI

[2007/06/30 12:43:09 | 000,000,314 | ---- | C] () -- C:\WINDOWS\BKCheck.INI

[2007/06/30 12:43:09 | 000,000,260 | ---- | C] () -- C:\WINDOWS\wininit.ini

[2007/06/30 12:43:09 | 000,000,225 | ---- | C] () -- C:\WINDOWS\TELEPHON.INI

[2007/06/30 12:43:09 | 000,000,164 | ---- | C] () -- C:\WINDOWS\avrack.ini

[2007/06/30 12:43:09 | 000,000,150 | ---- | C] () -- C:\WINDOWS\RtlRack.ini

[2007/06/30 12:43:09 | 000,000,120 | ---- | C] () -- C:\WINDOWS\PROTOCOL.INI

[2007/06/30 12:43:09 | 000,000,074 | ---- | C] () -- C:\WINDOWS\psdewin.ini

[2007/06/30 12:43:09 | 000,000,060 | ---- | C] () -- C:\WINDOWS\POWERPNT.INI

[2007/06/30 12:43:09 | 000,000,054 | ---- | C] () -- C:\WINDOWS\WAVEMIX.INI

[2007/06/30 12:43:09 | 000,000,037 | ---- | C] () -- C:\WINDOWS\Viewer.ini

[2007/06/30 12:43:09 | 000,000,028 | ---- | C] () -- C:\WINDOWS\QTW.INI

[2007/06/30 12:43:09 | 000,000,026 | ---- | C] () -- C:\WINDOWS\MSOFFICE.INI

[2007/06/30 12:43:09 | 000,000,000 | ---- | C] () -- C:\WINDOWS\progman.ini

[2007/06/30 12:43:09 | 000,000,000 | ---- | C] () -- C:\WINDOWS\OPPRINTSERVER.INI

[2007/01/23 03:46:46 | 000,000,000 | ---- | C] () -- C:\WINDOWS\System32\px.ini

[2007/01/15 11:34:16 | 000,035,576 | ---- | C] () -- C:\WINDOWS\System32\besched.dll

[2006/12/13 23:02:32 | 000,520,192 | ---- | C] () -- C:\WINDOWS\System32\CddbPlaylist2Roxio.dll

[2006/12/13 23:02:32 | 000,204,800 | ---- | C] () -- C:\WINDOWS\System32\CddbFileTaggerRoxio.dll

[2003/12/13 07:56:13 | 000,057,344 | ---- | C] () -- C:\WINDOWS\System32\icmfilter.dll

[2003/10/02 01:00:00 | 000,208,896 | ---- | C] () -- C:\WINDOWS\System32\lockout.dll

[2003/10/02 01:00:00 | 000,045,056 | ---- | C] () -- C:\WINDOWS\System32\lockres.dll

[2003/06/20 05:00:00 | 000,176,400 | ---- | C] () -- C:\WINDOWS\System32\qcut.dll

[2002/12/18 16:10:36 | 000,006,048 | ---- | C] () -- C:\WINDOWS\System32\MCC16.DLL

[1999/09/25 03:36:24 | 000,088,816 | ---- | C] () -- C:\WINDOWS\System32\drivers\lvcam.sys

[1999/09/25 03:36:22 | 000,017,424 | ---- | C] () -- C:\WINDOWS\System32\drivers\lvsound.sys

[1999/04/23 15:22:00 | 000,188,416 | ---- | C] () -- C:\WINDOWS\System32\MEMBG.DLL

[1999/01/22 11:46:58 | 000,065,536 | ---- | C] () -- C:\WINDOWS\System32\MSRTEDIT.DLL

========== LOP Check ==========

[2009/12/25 15:30:37 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\FreeRIP

[2008/02/15 19:05:29 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Maxtor

[2009/01/21 12:49:58 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\NetZero

[2010/03/03 21:18:24 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\ParetoLogic

[2010/09/20 06:55:42 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Update

[2010/07/31 13:13:39 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Richard\Application Data\ElevatedDiagnostics

[2010/07/17 19:41:18 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Richard\Application Data\ImgBurn

[2009/09/13 15:46:13 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Richard\Application Data\OpenOffice.org

========== Purity Check ==========

========== Custom Scans ==========

< C:\Program Apps\*.* >

[2000/08/17 03:00:20 | 000,463,872 | ---- | M] (Joshua F. Madison) -- C:\Program Apps\CONVERT.EXE

< c:\documents and settings\express\*. >

[2010/08/29 08:52:43 | 000,000,000 | RH-D | M] -- c:\Documents and Settings\express\Application Data

[2010/09/23 17:43:52 | 000,000,000 | -HSD | M] -- c:\Documents and Settings\express\Cookies

[2010/08/29 09:36:02 | 000,000,000 | ---D | M] -- c:\Documents and Settings\express\Desktop

[2010/08/22 09:44:03 | 000,000,000 | R--D | M] -- c:\Documents and Settings\express\Favorites

[2010/02/28 11:20:56 | 000,000,000 | -HSD | M] -- c:\Documents and Settings\express\IETldCache

[2010/09/26 17:00:44 | 000,000,000 | -H-D | M] -- c:\Documents and Settings\express\Local Settings

[2010/02/28 11:20:57 | 000,000,000 | R--D | M] -- c:\documents and settings\express\My Documents

[2007/06/30 05:29:49 | 000,000,000 | -H-D | M] -- c:\Documents and Settings\express\NetHood

[2007/06/30 05:29:49 | 000,000,000 | -H-D | M] -- c:\Documents and Settings\express\PrintHood

[2010/03/01 15:08:22 | 000,000,000 | -HSD | M] -- c:\Documents and Settings\express\PrivacIE

[2010/09/23 17:43:53 | 000,000,000 | RH-D | M] -- c:\documents and settings\express\Recent

[2009/10/13 15:07:41 | 000,000,000 | RH-D | M] -- c:\Documents and Settings\express\SendTo

[2007/08/11 09:59:21 | 000,000,000 | R--D | M] -- c:\Documents and Settings\express\Start Menu

[2007/06/30 12:36:15 | 000,000,000 | -H-D | M] -- c:\Documents and Settings\express\Templates

[2009/04/14 09:23:50 | 000,000,000 | -HSD | M] -- c:\Documents and Settings\express\UserData

< End of report >

MBRCheck, version 1.2.3

© 2010, AD

Command-line:

Windows Version: Windows XP Professional

Windows Information: Service Pack 3 (build 2600)

Logical Drives Mask: 0x0000000c

Kernel Drivers (total 132):

0x804D7000 \WINDOWS\system32\ntkrnlpa.exe

0x806E4000 \WINDOWS\system32\hal.dll

0x89D48000 \WINDOWS\system32\KDCOM.DLL

0xBA4BC000 \WINDOWS\system32\BOOTVID.dll

0xB9F79000 ACPI.sys

0xBA5A8000 \WINDOWS\system32\DRIVERS\WMILIB.SYS

0xB9F68000 pci.sys

0xBA0A8000 isapnp.sys

0xBA0B8000 ohci1394.sys

0xBA0C8000 \WINDOWS\system32\DRIVERS\1394BUS.SYS

0xBA670000 pciide.sys

0xBA328000 \WINDOWS\system32\DRIVERS\PCIIDEX.SYS

0xBA5AA000 viaide.sys

0xBA0D8000 MountMgr.sys

0xB9F49000 ftdisk.sys

0xBA5AC000 dmload.sys

0xB9F23000 dmio.sys

0xBA330000 PartMgr.sys

0xBA0E8000 VolSnap.sys

0xB9F0B000 atapi.sys

0xBA0F8000 disk.sys

0xBA108000 \WINDOWS\system32\DRIVERS\CLASSPNP.SYS

0xB9EEB000 fltmgr.sys

0xB9ED9000 sr.sys

0xB9EC2000 drvmcdb.sys

0xBA118000 PxHelp20.sys

0xB9EAB000 KSecDD.sys

0xB9E1E000 Ntfs.sys

0xB9DF1000 NDIS.sys

0xB9D91000 timntr.sys

0xB9D75000 snapman.sys

0xB9D5B000 Mup.sys

0xBA318000 \SystemRoot\system32\DRIVERS\processr.sys

0xBA148000 \SystemRoot\system32\DRIVERS\serial.sys

0xBA56C000 \SystemRoot\system32\DRIVERS\serenum.sys

0xB90FC000 \SystemRoot\system32\DRIVERS\parport.sys

0xBA158000 \SystemRoot\system32\DRIVERS\i8042prt.sys

0xB93AE000 \SystemRoot\system32\DRIVERS\kbdclass.sys

0xB93A6000 \SystemRoot\system32\DRIVERS\mouclass.sys

0xB939E000 \SystemRoot\system32\DRIVERS\usbohci.sys

0xB90D8000 \SystemRoot\system32\DRIVERS\USBPORT.SYS

0xB9396000 \SystemRoot\system32\DRIVERS\usbehci.sys

0xB8D01000 \SystemRoot\system32\drivers\ALCXWDM.SYS

0xB8CDD000 \SystemRoot\system32\drivers\portcls.sys

0xBA168000 \SystemRoot\system32\drivers\drmk.sys

0xB8CBA000 \SystemRoot\system32\drivers\ks.sys

0xBA178000 \SystemRoot\system32\DRIVERS\imapi.sys

0xBA5EA000 \SystemRoot\System32\Drivers\DLACDBHM.SYS

0xBA188000 \SystemRoot\system32\DRIVERS\cdrom.sys

0xBA198000 \SystemRoot\system32\DRIVERS\redbook.sys

0xB938E000 \SystemRoot\System32\Drivers\Modem.SYS

0xBA1A8000 \SystemRoot\system32\DRIVERS\nvnetbus.sys

0xB8BAC000 \SystemRoot\system32\DRIVERS\NVNRM.SYS

0xB8B59000 \SystemRoot\system32\DRIVERS\NVSNPU.SYS

0xB88CF000 \SystemRoot\system32\DRIVERS\ati2mtag.sys

0xB88BB000 \SystemRoot\system32\DRIVERS\VIDEOPRT.SYS

0xBA768000 \SystemRoot\system32\DRIVERS\audstub.sys

0xBA1B8000 \SystemRoot\system32\DRIVERS\rasl2tp.sys

0xBA574000 \SystemRoot\system32\DRIVERS\ndistapi.sys

0xB88A4000 \SystemRoot\system32\DRIVERS\ndiswan.sys

0xBA1C8000 \SystemRoot\system32\DRIVERS\raspppoe.sys

0xBA1D8000 \SystemRoot\system32\DRIVERS\raspptp.sys

0xB9386000 \SystemRoot\system32\DRIVERS\TDI.SYS

0xB937E000 \SystemRoot\system32\DRIVERS\ptilink.sys

0xB9376000 \SystemRoot\system32\DRIVERS\raspti.sys

0xB8874000 \SystemRoot\system32\DRIVERS\rdpdr.sys

0xBA1E8000 \SystemRoot\system32\DRIVERS\termdd.sys

0xBA5EC000 \SystemRoot\system32\DRIVERS\swenum.sys

0xB8816000 \SystemRoot\system32\DRIVERS\update.sys

0xBA58C000 \SystemRoot\system32\DRIVERS\mssmbios.sys

0xBA1F8000 \SystemRoot\System32\Drivers\NDProxy.SYS

0xBA2B8000 \SystemRoot\system32\DRIVERS\usbhub.sys

0xBA60E000 \SystemRoot\system32\DRIVERS\USBD.SYS

0xB6A8E000 \SystemRoot\system32\DRIVERS\NVENETFD.sys

0xBA61A000 \SystemRoot\System32\Drivers\Fs_Rec.SYS

0xBA6C0000 \SystemRoot\System32\Drivers\Null.SYS

0xBA61C000 \SystemRoot\System32\Drivers\Beep.SYS

0xB947C000 \SystemRoot\System32\Drivers\DLARTL_M.SYS

0xB9484000 \SystemRoot\System32\drivers\vga.sys

0xBA61E000 \SystemRoot\System32\Drivers\mnmdd.SYS

0xBA620000 \SystemRoot\System32\DRIVERS\RDPCDD.sys

0xBA398000 \SystemRoot\System32\Drivers\Msfs.SYS

0xBA3A0000 \SystemRoot\System32\Drivers\Npfs.SYS

0xB8029000 \SystemRoot\system32\DRIVERS\rasacd.sys

0xA992E000 \SystemRoot\system32\DRIVERS\ipsec.sys

0xB6A5E000 \SystemRoot\system32\DRIVERS\msgpc.sys

0xA98D5000 \SystemRoot\system32\DRIVERS\tcpip.sys

0xA98AD000 \SystemRoot\system32\DRIVERS\netbt.sys

0xA9887000 \SystemRoot\system32\DRIVERS\ipnat.sys

0xA9865000 \SystemRoot\System32\drivers\afd.sys

0xB9130000 \SystemRoot\system32\DRIVERS\netbios.sys

0xBA438000 \SystemRoot\system32\DRIVERS\ssmdrv.sys

0xA979A000 \SystemRoot\system32\DRIVERS\rdbss.sys

0xA972A000 \SystemRoot\system32\DRIVERS\mrxsmb.sys

0xAA4E0000 \SystemRoot\System32\Drivers\Fips.SYS

0xA950B000 \SystemRoot\system32\DRIVERS\avipbb.sys

0xBA62A000 \??\C:\Program Files\Avira\AntiVir Desktop\avgio.sys

0x9E558000 \SystemRoot\System32\Drivers\Cdfs.SYS

0x9D631000 \SystemRoot\System32\Drivers\dump_atapi.sys

0xBA63A000 \SystemRoot\System32\Drivers\dump_WMILIB.SYS

0xBF800000 \SystemRoot\System32\win32k.sys

0x9E457000 \SystemRoot\System32\drivers\Dxapi.sys

0x9E358000 \SystemRoot\System32\watchdog.sys

0xBF000000 \SystemRoot\System32\drivers\dxg.sys

0x9E027000 \SystemRoot\System32\drivers\dxgthk.sys

0xBF012000 \SystemRoot\System32\ati2dvag.dll

0xBF057000 \SystemRoot\System32\ati2cqag.dll

0xBF0D1000 \SystemRoot\System32\atikvmag.dll

0xBF13D000 \SystemRoot\System32\atiok3x2.dll

0xBF16B000 \SystemRoot\System32\ati3duag.dll

0xBF468000 \SystemRoot\System32\ativvaxx.dll

0xBFFA0000 \SystemRoot\System32\ATMFD.DLL

0x9B41C000 \SystemRoot\system32\DRIVERS\avgntflt.sys

0xBA288000 \SystemRoot\System32\Drivers\DRVNDDM.SYS

0xB91E9000 \SystemRoot\system32\DRIVERS\tifsfilt.sys

0xBA6B0000 \SystemRoot\System32\DLA\DLADResM.SYS

0x9B404000 \SystemRoot\System32\DLA\DLAIFS_M.SYS

0xB91E1000 \SystemRoot\System32\DLA\DLAOPIOM.SYS

0x9E88F000 \SystemRoot\System32\DLA\DLAPoolM.SYS

0xB91D9000 \SystemRoot\System32\DLA\DLABMFSM.SYS

0xB91D1000 \SystemRoot\System32\DLA\DLABOIOM.SYS

0x9B3EE000 \SystemRoot\System32\DLA\DLAUDFAM.SYS

0x9B3D7000 \SystemRoot\System32\DLA\DLAUDF_M.SYS

0x9F1EB000 \SystemRoot\system32\DRIVERS\ndisuio.sys

0x9B35A000 \SystemRoot\system32\DRIVERS\mrxdav.sys

0xBA5B4000 \SystemRoot\System32\Drivers\ParVdm.SYS

0x9AFD5000 \SystemRoot\system32\drivers\wdmaud.sys

0x9B14A000 \SystemRoot\system32\drivers\sysaudio.sys

0x9AC74000 \SystemRoot\System32\Drivers\HTTP.sys

0x9ABA6000 \SystemRoot\system32\drivers\kmixer.sys

0x9AB60000 \SystemRoot\System32\Drivers\Fastfat.SYS

0x7C900000 \WINDOWS\SYSTEM32\ntdll.dll

Processes (total 37):

0 System Idle Process

4 System

332 C:\WINDOWS\SYSTEM32\smss.exe

380 csrss.exe

408 C:\WINDOWS\SYSTEM32\winlogon.exe

456 C:\WINDOWS\SYSTEM32\services.exe

468 C:\WINDOWS\SYSTEM32\lsass.exe

688 C:\WINDOWS\SYSTEM32\ati2evxx.exe

708 C:\WINDOWS\SYSTEM32\svchost.exe

764 svchost.exe

816 C:\WINDOWS\SYSTEM32\svchost.exe

900 svchost.exe

944 C:\WINDOWS\SYSTEM32\ati2evxx.exe

1032 svchost.exe

1128 C:\WINDOWS\SYSTEM32\spoolsv.exe

1180 C:\Program Files\Avira\AntiVir Desktop\sched.exe

1224 svchost.exe

1288 C:\Program Files\Common Files\Maxtor\Schedule2\schedul2.exe

1312 C:\Program Files\Avira\AntiVir Desktop\avguard.exe

1360 C:\Program Files\Java\jre6\bin\jqs.exe

1408 C:\Program Files\Common Files\Motive\McciCMService.exe

1432 C:\Program Files\Avira\AntiVir Desktop\avshadow.exe

1640 C:\WINDOWS\SYSTEM32\svchost.exe

2312 alg.exe

2480 C:\WINDOWS\explorer.exe

2636 C:\Program Files\Avira\AntiVir Desktop\avgnt.exe

2644 C:\WINDOWS\SOUNDMAN.EXE

2660 C:\Program Files\Roxio\Drag-to-Disc\DrgToDsc.exe

2688 C:\Program Files\Maxtor\MaxBlast\MaxBlastMonitor.exe

2696 C:\Program Files\Roxio\CinePlayer\DMXLauncher.exe

2752 C:\Program Files\Maxtor\MaxBlast\TimounterMonitor.exe

2760 C:\Program Files\Common Files\Maxtor\Schedule2\schedhlp.exe

2768 C:\Program Files\Common Files\Java\Java Update\jusched.exe

2776 C:\WINDOWS\SYSTEM32\ctfmon.exe

3296 C:\WINDOWS\SYSTEM32\wuauclt.exe

3888 C:\WINDOWS\SYSTEM32\rundll32.exe

3928 C:\Documents and Settings\Richard\Desktop\MBRCheck.exe

\\.\C: --> \\.\PhysicalDrive0 at offset 0x00000000`00007e00 (NTFS)

PhysicalDrive0 Model Number: MAXTORSTM3160815AS, Rev: 3.AAD

Size Device Name MBR Status

--------------------------------------------

149 GB \\.\PhysicalDrive0 Unknown MBR code

SHA1: 9471F76341EC22019F575AA4EE8662FDA0BEAF3C

Found non-standard or infected MBR.

Enter 'Y' and hit ENTER for more options, or 'N' to exit:

Done!

Link to post
Share on other sites

Looks as this might be a BOOTKIT infection.

I need a copy of the mbr.

Copy the content the codebox

"C:\Documents and Settings\Richard\Desktop\MBRCheck.exe" -s 0 -d dump0.dat

Goto Start -> Run ...

Paste it in like this

Run_Desktop{92}MBRCheck.exe{34}%20-s%200%20-d%20dump0.dat.jpg

MBRCheck will create a new log and also the file dump0.dat on your desktop.

Please paste the content of the new log in your reply.

Please attach the file dump0.dat in your reply.

Also what is the make and model of your computer?

-----

Link to post
Share on other sites

heir

below is the mbr log file.

I believe that I attached the dump0.dat as the attachment space used reads 3.32K

although there is a red x with the message "upload failed. You are not permitted to upload this type of file"

MBRCheck, version 1.2.3

© 2010, AD

Command-line: -s 0 -d dump0.dat

Windows Version: Windows XP Professional

Windows Information: Service Pack 3 (build 2600)

Logical Drives Mask: 0x0000001c

Kernel Drivers (total 133):

0x804D7000 \WINDOWS\system32\ntkrnlpa.exe

0x806E4000 \WINDOWS\system32\hal.dll

0x89C9A000 \WINDOWS\system32\KDCOM.DLL

0xBA4BC000 \WINDOWS\system32\BOOTVID.dll

0xB9F79000 ACPI.sys

0xBA5A8000 \WINDOWS\system32\DRIVERS\WMILIB.SYS

0xB9F68000 pci.sys

0xBA0A8000 isapnp.sys

0xBA0B8000 ohci1394.sys

0xBA0C8000 \WINDOWS\system32\DRIVERS\1394BUS.SYS

0xBA670000 pciide.sys

0xBA328000 \WINDOWS\system32\DRIVERS\PCIIDEX.SYS

0xBA5AA000 viaide.sys

0xBA0D8000 MountMgr.sys

0xB9F49000 ftdisk.sys

0xBA5AC000 dmload.sys

0xB9F23000 dmio.sys

0xBA330000 PartMgr.sys

0xBA0E8000 VolSnap.sys

0xB9F0B000 atapi.sys

0xBA0F8000 disk.sys

0xBA108000 \WINDOWS\system32\DRIVERS\CLASSPNP.SYS

0xB9EEB000 fltmgr.sys

0xB9ED9000 sr.sys

0xB9EC2000 drvmcdb.sys

0xBA118000 PxHelp20.sys

0xB9EAB000 KSecDD.sys

0xB9E1E000 Ntfs.sys

0xB9DF1000 NDIS.sys

0xB9D91000 timntr.sys

0xB9D75000 snapman.sys

0xB9D5B000 Mup.sys

0xBA2F8000 \SystemRoot\system32\DRIVERS\processr.sys

0xBA308000 \SystemRoot\system32\DRIVERS\serial.sys

0xBA564000 \SystemRoot\system32\DRIVERS\serenum.sys

0xB8564000 \SystemRoot\system32\DRIVERS\parport.sys

0xBA318000 \SystemRoot\system32\DRIVERS\i8042prt.sys

0xB875D000 \SystemRoot\system32\DRIVERS\kbdclass.sys

0xB8755000 \SystemRoot\system32\DRIVERS\mouclass.sys

0xB874D000 \SystemRoot\system32\DRIVERS\usbohci.sys

0xB8540000 \SystemRoot\system32\DRIVERS\USBPORT.SYS

0xB8745000 \SystemRoot\system32\DRIVERS\usbehci.sys

0xB8169000 \SystemRoot\system32\drivers\ALCXWDM.SYS

0xB8145000 \SystemRoot\system32\drivers\portcls.sys

0xBA148000 \SystemRoot\system32\drivers\drmk.sys

0xB8122000 \SystemRoot\system32\drivers\ks.sys

0xBA158000 \SystemRoot\system32\DRIVERS\imapi.sys

0xBA5F0000 \SystemRoot\System32\Drivers\DLACDBHM.SYS

0xBA168000 \SystemRoot\system32\DRIVERS\cdrom.sys

0xBA178000 \SystemRoot\system32\DRIVERS\redbook.sys

0xB873D000 \SystemRoot\System32\Drivers\Modem.SYS

0xBA188000 \SystemRoot\system32\DRIVERS\nvnetbus.sys

0xB8014000 \SystemRoot\system32\DRIVERS\NVNRM.SYS

0xB7FC1000 \SystemRoot\system32\DRIVERS\NVSNPU.SYS

0xB7D37000 \SystemRoot\system32\DRIVERS\ati2mtag.sys

0xB7D23000 \SystemRoot\system32\DRIVERS\VIDEOPRT.SYS

0xBA742000 \SystemRoot\system32\DRIVERS\audstub.sys

0xBA198000 \SystemRoot\system32\DRIVERS\rasl2tp.sys

0xBA56C000 \SystemRoot\system32\DRIVERS\ndistapi.sys

0xB7D0C000 \SystemRoot\system32\DRIVERS\ndiswan.sys

0xBA1A8000 \SystemRoot\system32\DRIVERS\raspppoe.sys

0xBA1B8000 \SystemRoot\system32\DRIVERS\raspptp.sys

0xB8735000 \SystemRoot\system32\DRIVERS\TDI.SYS

0xB872D000 \SystemRoot\system32\DRIVERS\ptilink.sys

0xB8725000 \SystemRoot\system32\DRIVERS\raspti.sys

0xB7CDC000 \SystemRoot\system32\DRIVERS\rdpdr.sys

0xBA1C8000 \SystemRoot\system32\DRIVERS\termdd.sys

0xBA5F2000 \SystemRoot\system32\DRIVERS\swenum.sys

0xB7C7E000 \SystemRoot\system32\DRIVERS\update.sys

0xBA588000 \SystemRoot\system32\DRIVERS\mssmbios.sys

0xBA1D8000 \SystemRoot\System32\Drivers\NDProxy.SYS

0xBA298000 \SystemRoot\system32\DRIVERS\usbhub.sys

0xBA618000 \SystemRoot\system32\DRIVERS\USBD.SYS

0xB5F26000 \SystemRoot\system32\DRIVERS\NVENETFD.sys

0xBA62E000 \SystemRoot\System32\Drivers\Fs_Rec.SYS

0xBA6A3000 \SystemRoot\System32\Drivers\Null.SYS

0xBA630000 \SystemRoot\System32\Drivers\Beep.SYS

0xBA390000 \SystemRoot\System32\Drivers\DLARTL_M.SYS

0xBA398000 \SystemRoot\System32\drivers\vga.sys

0xBA632000 \SystemRoot\System32\Drivers\mnmdd.SYS

0xBA634000 \SystemRoot\System32\DRIVERS\RDPCDD.sys

0xB884B000 \SystemRoot\System32\Drivers\Msfs.SYS

0xB8843000 \SystemRoot\System32\Drivers\Npfs.SYS

0xB7366000 \SystemRoot\system32\DRIVERS\rasacd.sys

0xA845F000 \SystemRoot\system32\DRIVERS\ipsec.sys

0xA99D9000 \SystemRoot\system32\DRIVERS\msgpc.sys

0xA8406000 \SystemRoot\system32\DRIVERS\tcpip.sys

0xA83B6000 \SystemRoot\system32\DRIVERS\netbt.sys

0xA8390000 \SystemRoot\system32\DRIVERS\ipnat.sys

0xA836E000 \SystemRoot\System32\drivers\afd.sys

0xA99C9000 \SystemRoot\system32\DRIVERS\netbios.sys

0xBA498000 \SystemRoot\system32\DRIVERS\ssmdrv.sys

0xA8343000 \SystemRoot\system32\DRIVERS\rdbss.sys

0xA82D3000 \SystemRoot\system32\DRIVERS\mrxsmb.sys

0xA99A9000 \SystemRoot\System32\Drivers\Fips.SYS

0xA7EA4000 \SystemRoot\system32\DRIVERS\avipbb.sys

0xBA63C000 \??\C:\Program Files\Avira\AntiVir Desktop\avgio.sys

0xA32C5000 \SystemRoot\System32\Drivers\Cdfs.SYS

0x9CB6E000 \SystemRoot\System32\Drivers\dump_atapi.sys

0xBA642000 \SystemRoot\System32\Drivers\dump_WMILIB.SYS

0xBF800000 \SystemRoot\System32\win32k.sys

0x9DA6A000 \SystemRoot\System32\drivers\Dxapi.sys

0xBA3D0000 \SystemRoot\System32\watchdog.sys

0xBF000000 \SystemRoot\System32\drivers\dxg.sys

0x9D34B000 \SystemRoot\System32\drivers\dxgthk.sys

0xBF012000 \SystemRoot\System32\ati2dvag.dll

0xBF057000 \SystemRoot\System32\ati2cqag.dll

0xBF0D1000 \SystemRoot\System32\atikvmag.dll

0xBF13D000 \SystemRoot\System32\atiok3x2.dll

0xBF16B000 \SystemRoot\System32\ati3duag.dll

0xBF468000 \SystemRoot\System32\ativvaxx.dll

0xBFFA0000 \SystemRoot\System32\ATMFD.DLL

0x9A959000 \SystemRoot\system32\DRIVERS\avgntflt.sys

0xA3245000 \SystemRoot\System32\Drivers\DRVNDDM.SYS

0xB85A0000 \SystemRoot\system32\DRIVERS\tifsfilt.sys

0xA2266000 \SystemRoot\System32\DLA\DLADResM.SYS

0x9A941000 \SystemRoot\System32\DLA\DLAIFS_M.SYS

0xB8598000 \SystemRoot\System32\DLA\DLAOPIOM.SYS

0xA2C76000 \SystemRoot\System32\DLA\DLAPoolM.SYS

0xB8590000 \SystemRoot\System32\DLA\DLABMFSM.SYS

0xB8588000 \SystemRoot\System32\DLA\DLABOIOM.SYS

0x9A92B000 \SystemRoot\System32\DLA\DLAUDFAM.SYS

0x9A914000 \SystemRoot\System32\DLA\DLAUDF_M.SYS

0xA4AD2000 \SystemRoot\system32\DRIVERS\ndisuio.sys

0x9A86F000 \SystemRoot\system32\DRIVERS\mrxdav.sys

0xBA638000 \SystemRoot\System32\Drivers\ParVdm.SYS

0x9A742000 \SystemRoot\system32\drivers\wdmaud.sys

0xBA238000 \SystemRoot\system32\drivers\sysaudio.sys

0x9A6F4000 \SystemRoot\system32\drivers\kmixer.sys

0x9A189000 \SystemRoot\System32\Drivers\HTTP.sys

0xBA458000 \SystemRoot\system32\DRIVERS\USBSTOR.SYS

0x99FE8000 \SystemRoot\System32\Drivers\Fastfat.SYS

0x7C900000 \WINDOWS\SYSTEM32\ntdll.dll

Processes (total 39):

0 System Idle Process

4 System

332 C:\WINDOWS\SYSTEM32\smss.exe

380 csrss.exe

408 C:\WINDOWS\SYSTEM32\winlogon.exe

456 C:\WINDOWS\SYSTEM32\services.exe

468 C:\WINDOWS\SYSTEM32\lsass.exe

692 C:\WINDOWS\SYSTEM32\ati2evxx.exe

712 C:\WINDOWS\SYSTEM32\svchost.exe

768 svchost.exe

860 C:\WINDOWS\SYSTEM32\svchost.exe

924 svchost.exe

960 C:\WINDOWS\SYSTEM32\ati2evxx.exe

1028 svchost.exe

1140 C:\WINDOWS\SYSTEM32\spoolsv.exe

1188 C:\Program Files\Avira\AntiVir Desktop\sched.exe

1232 svchost.exe

1312 C:\Program Files\Common Files\Maxtor\Schedule2\schedul2.exe

1336 C:\Program Files\Avira\AntiVir Desktop\avguard.exe

1388 C:\Program Files\Java\jre6\bin\jqs.exe

1428 C:\Program Files\Common Files\Motive\McciCMService.exe

1452 C:\Program Files\Avira\AntiVir Desktop\avshadow.exe

1772 C:\WINDOWS\explorer.exe

1960 C:\WINDOWS\SYSTEM32\svchost.exe

192 C:\Program Files\Avira\AntiVir Desktop\avgnt.exe

184 C:\WINDOWS\SYSTEM32\wuauclt.exe

212 C:\WINDOWS\SOUNDMAN.EXE

236 C:\Program Files\Roxio\Drag-to-Disc\DrgToDsc.exe

256 C:\Program Files\Maxtor\MaxBlast\MaxBlastMonitor.exe

296 C:\Program Files\Roxio\CinePlayer\DMXLauncher.exe

324 C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe

348 C:\Program Files\Maxtor\MaxBlast\TimounterMonitor.exe

360 C:\Program Files\Common Files\Maxtor\Schedule2\schedhlp.exe

376 C:\Program Files\Common Files\Java\Java Update\jusched.exe

148 C:\WINDOWS\SYSTEM32\ctfmon.exe

1816 wmiprvse.exe

2484 alg.exe

3096 C:\WINDOWS\SYSTEM32\wuauclt.exe

3164 C:\Documents and Settings\Richard\Desktop\MBRCheck.exe

Dumping \\.\PhysicalDrive0 to dump0.dat...

Dumped successfully!

Done!

Link to post
Share on other sites

heir

below is the report from root kit killer

windows instal cd's out and ready to go.

Note: some thoughts on the memory stick

I am almost positive that the memory stick I was using got infected.

I was not able to load the tool to clean it here at home and my work pc blocked that site.

Good news is that we might soon have my work IT helping us as I think I transported it to work.

Bad news...

Anyway, given that the memory stick I was using on the "infected" pc was probaly infected itself

does that change any direction we want to go.

The infected pc still cannot make an internet connection.

RkU Version: 3.8.388.590, Type LE (SR2)

==============================================

OS Name: Windows XP

Version 5.1.2600 (Service Pack 3)

Number of processors #2

==============================================

>Drivers

==============================================

0xB81A4000 C:\WINDOWS\system32\drivers\ALCXWDM.SYS 4026368 bytes (Realtek Semiconductor Corp., Realtek AC'97 Audio Driver (WDM))

0xBF16B000 C:\WINDOWS\System32\ati3duag.dll 3133440 bytes (ATI Technologies Inc. , ati3duag.dll)

0xB7D72000 C:\WINDOWS\system32\DRIVERS\ati2mtag.sys 2662400 bytes (ATI Technologies Inc., ATI Radeon WindowsNT Miniport Driver)

0x804D7000 C:\WINDOWS\system32\ntkrnlpa.exe 2150400 bytes (Microsoft Corporation, NT Kernel & System)

0x804D7000 PnpManager 2150400 bytes

0x804D7000 RAW 2150400 bytes

0x804D7000 WMIxWDM 2150400 bytes

0xBF800000 Win32k 1855488 bytes

0xBF800000 C:\WINDOWS\System32\win32k.sys 1855488 bytes (Microsoft Corporation, Multi-User Win32 Driver)

0xBF468000 C:\WINDOWS\System32\ativvaxx.dll 1597440 bytes (ATI Technologies Inc. , Radeon Video Acceleration Universal Driver)

0xB804F000 C:\WINDOWS\system32\DRIVERS\NVNRM.SYS 1105920 bytes (NVIDIA Corporation, NVIDIA Network Resource Manager.)

0xB9E1E000 Ntfs.sys 577536 bytes (Microsoft Corporation, NT File System Driver)

0xBF057000 C:\WINDOWS\System32\ati2cqag.dll 499712 bytes (ATI Technologies Inc., Central Memory Manager / Queue Server Module)

0xA8A3F000 C:\WINDOWS\system32\DRIVERS\mrxsmb.sys 458752 bytes (Microsoft Corporation, Windows NT SMB Minirdr)

0xBF0D1000 C:\WINDOWS\System32\atikvmag.dll 442368 bytes (ATI Technologies Inc., Virtual Command And Memory Manager)

0xB9D91000 timntr.sys 393216 bytes (Acronis, Acronis True Image Backup Archive Explorer)

0xB7CB9000 C:\WINDOWS\system32\DRIVERS\update.sys 385024 bytes (Microsoft Corporation, Update Driver)

0xA8B72000 C:\WINDOWS\system32\DRIVERS\tcpip.sys 364544 bytes (Microsoft Corporation, TCP/IP Protocol Driver)

0xB7FFC000 C:\WINDOWS\system32\DRIVERS\NVSNPU.SYS 339968 bytes (NVIDIA Corporation, NVIDIA Networking Soft-NPU Driver.)

0xBFFA0000 C:\WINDOWS\System32\ATMFD.DLL 286720 bytes (Adobe Systems Incorporated, Windows NT OpenType/Type 1 Font Driver)

0xBF012000 C:\WINDOWS\System32\ati2dvag.dll 282624 bytes (ATI Technologies Inc., ATI Radeon WindowsNT Display Driver)

0x9A5E0000 C:\WINDOWS\System32\Drivers\HTTP.sys 266240 bytes (Microsoft Corporation, HTTP Protocol Stack)

0xB7D17000 C:\WINDOWS\system32\DRIVERS\rdpdr.sys 196608 bytes (Microsoft Corporation, Microsoft RDP Device redirector)

0xB9F79000 ACPI.sys 188416 bytes (Microsoft Corporation, ACPI Driver for NT)

0xBF13D000 C:\WINDOWS\System32\atiok3x2.dll 188416 bytes (ATI Technologies Inc., Ring 0 x2 component)

0x9AD66000 C:\WINDOWS\system32\DRIVERS\mrxdav.sys 184320 bytes (Microsoft Corporation, Windows NT WebDav Minirdr)

0xB9DF1000 NDIS.sys 184320 bytes (Microsoft Corporation, NDIS 5.1 wrapper driver)

0x9A1B3000 C:\WINDOWS\system32\drivers\kmixer.sys 176128 bytes (Microsoft Corporation, Kernel Mode Audio Mixer)

0xA8AAF000 C:\WINDOWS\system32\DRIVERS\rdbss.sys 176128 bytes (Microsoft Corporation, Redirected Drive Buffering SubSystem Driver)

0xA8B22000 C:\WINDOWS\system32\DRIVERS\netbt.sys 163840 bytes (Microsoft Corporation, MBT Transport driver)

0xB9F23000 dmio.sys 155648 bytes (Microsoft Corp., Veritas Software, NT Disk Manager I/O Driver)

0xA8AFC000 C:\WINDOWS\system32\DRIVERS\ipnat.sys 155648 bytes (Microsoft Corporation, IP Network Address Translator)

0xB8180000 C:\WINDOWS\system32\drivers\portcls.sys 147456 bytes (Microsoft Corporation, Port Class (Class Driver for Port/Miniport Devices))

0xB857B000 C:\WINDOWS\system32\DRIVERS\USBPORT.SYS 147456 bytes (Microsoft Corporation, USB 1.1 & 2.0 Port Driver)

0xB815D000 C:\WINDOWS\system32\drivers\ks.sys 143360 bytes (Microsoft Corporation, Kernel CSA Library)

0xA8ADA000 C:\WINDOWS\System32\drivers\afd.sys 139264 bytes (Microsoft Corporation, Ancillary Function Driver for WinSock)

0xA8610000 C:\WINDOWS\system32\DRIVERS\avipbb.sys 139264 bytes (Avira GmbH, Avira Driver for Security Enhancement)

0x806E4000 ACPI_HAL 134400 bytes

0x806E4000 C:\WINDOWS\system32\hal.dll 134400 bytes (Microsoft Corporation, Hardware Abstraction Layer DLL)

0xB9EEB000 fltmgr.sys 131072 bytes (Microsoft Corporation, Microsoft Filesystem Filter Manager)

0xB9F49000 ftdisk.sys 126976 bytes (Microsoft Corporation, FT Disk Driver)

0xB9D75000 snapman.sys 114688 bytes (Acronis, Acronis Snapshot API)

0xB9D5B000 Mup.sys 106496 bytes (Microsoft Corporation, Multiple UNC Provider driver)

0xB9F0B000 atapi.sys 98304 bytes (Microsoft Corporation, IDE/ATAPI Port Driver)

0x9AE38000 C:\WINDOWS\System32\DLA\DLAIFS_M.SYS 98304 bytes (Roxio, Drive Letter Access Component)

0x9D065000 C:\WINDOWS\System32\Drivers\dump_atapi.sys 98304 bytes

0x9AE0B000 C:\WINDOWS\System32\DLA\DLAUDF_M.SYS 94208 bytes (Roxio, Drive Letter Access Component)

0xB9EC2000 drvmcdb.sys 94208 bytes (Sonic Solutions, Device Driver)

0xB9EAB000 KSecDD.sys 94208 bytes (Microsoft Corporation, Kernel Security Support Provider Interface)

0xB7D47000 C:\WINDOWS\system32\DRIVERS\ndiswan.sys 94208 bytes (Microsoft Corporation, MS PPP Framing Driver (Strong Encryption))

0x9AE22000 C:\WINDOWS\System32\DLA\DLAUDFAM.SYS 90112 bytes (Roxio, Drive Letter Access Component)

0x9AE50000 C:\WINDOWS\system32\DRIVERS\avgntflt.sys 86016 bytes (Avira GmbH, Avira Minifilter Driver)

0x9AC39000 C:\WINDOWS\system32\drivers\wdmaud.sys 86016 bytes (Microsoft Corporation, MMSYSTEM Wave/Midi API mapper)

0xB859F000 C:\WINDOWS\system32\DRIVERS\parport.sys 81920 bytes (Microsoft Corporation, Parallel Port Driver)

0xB7D5E000 C:\WINDOWS\system32\DRIVERS\VIDEOPRT.SYS 81920 bytes (Microsoft Corporation, Video Port Driver)

0xA8BCB000 C:\WINDOWS\system32\DRIVERS\ipsec.sys 77824 bytes (Microsoft Corporation, IPSec Driver)

0xBF000000 C:\WINDOWS\System32\drivers\dxg.sys 73728 bytes (Microsoft Corporation, DirectX Graphics Driver)

0xB9ED9000 sr.sys 73728 bytes (Microsoft Corporation, System Restore Filesystem Filter Driver)

0xB9F68000 pci.sys 69632 bytes (Microsoft Corporation, NT Plug and Play PCI Enumerator)

0xA8D11000 C:\WINDOWS\System32\Drivers\Cdfs.SYS 65536 bytes (Microsoft Corporation, CD-ROM File System Driver)

0xBA308000 C:\WINDOWS\system32\DRIVERS\cdrom.sys 65536 bytes (Microsoft Corporation, SCSI CD-ROM Driver)

0xBA0B8000 ohci1394.sys 65536 bytes (Microsoft Corporation, 1394 OpenHCI Port Driver)

0xBA2C8000 C:\WINDOWS\system32\DRIVERS\serial.sys 65536 bytes (Microsoft Corporation, Serial Device Driver)

0xBA2E8000 C:\WINDOWS\system32\drivers\drmk.sys 61440 bytes (Microsoft Corporation, Microsoft Kernel DRM Descrambler Filter)

0xBA318000 C:\WINDOWS\system32\DRIVERS\redbook.sys 61440 bytes (Microsoft Corporation, Redbook Audio Filter Driver)

0xBA268000 C:\WINDOWS\system32\drivers\sysaudio.sys 61440 bytes (Microsoft Corporation, System Audio WDM Filter)

0xBA248000 C:\WINDOWS\system32\DRIVERS\usbhub.sys 61440 bytes (Microsoft Corporation, Default Hub Driver for USB)

0xBA0C8000 C:\WINDOWS\system32\DRIVERS\1394BUS.SYS 57344 bytes (Microsoft Corporation, 1394 Bus Device Driver)

0xBA108000 C:\WINDOWS\system32\DRIVERS\CLASSPNP.SYS 53248 bytes (Microsoft Corporation, SCSI Class System Dll)

0xBA2D8000 C:\WINDOWS\system32\DRIVERS\i8042prt.sys 53248 bytes (Microsoft Corporation, i8042 Port Driver)

0xB90FD000 C:\WINDOWS\system32\DRIVERS\NVENETFD.sys 53248 bytes (NVIDIA Corporation, NVIDIA Networking Function Driver.)

0xBA158000 C:\WINDOWS\system32\DRIVERS\rasl2tp.sys 53248 bytes (Microsoft Corporation, RAS L2TP mini-port/call-manager driver)

0xBA0E8000 VolSnap.sys 53248 bytes (Microsoft Corporation, Volume Shadow Copy Driver)

0xBA178000 C:\WINDOWS\system32\DRIVERS\raspptp.sys 49152 bytes (Microsoft Corporation, Peer-to-Peer Tunneling Protocol)

0xB72DE000 C:\WINDOWS\System32\Drivers\DRVNDDM.SYS 45056 bytes (Roxio, Device Driver Manager)

0xB60AC000 C:\WINDOWS\System32\Drivers\Fips.SYS 45056 bytes (Microsoft Corporation, FIPS Crypto Driver)

0xBA2F8000 C:\WINDOWS\system32\DRIVERS\imapi.sys 45056 bytes (Microsoft Corporation, IMAPI Kernel Driver)

0xBA0D8000 MountMgr.sys 45056 bytes (Microsoft Corporation, Mount Manager)

0xBA168000 C:\WINDOWS\system32\DRIVERS\raspppoe.sys 45056 bytes (Microsoft Corporation, RAS PPPoE mini-port/call-manager driver)

0xBA0A8000 isapnp.sys 40960 bytes (Microsoft Corporation, PNP ISA Bus Driver)

0xBA198000 C:\WINDOWS\System32\Drivers\NDProxy.SYS 40960 bytes (Microsoft Corporation, NDIS Proxy)

0xBA188000 C:\WINDOWS\system32\DRIVERS\termdd.sys 40960 bytes (Microsoft Corporation, Terminal Server Driver)

0xBA0F8000 disk.sys 36864 bytes (Microsoft Corporation, PnP Disk Driver)

0xB60DC000 C:\WINDOWS\system32\DRIVERS\msgpc.sys 36864 bytes (Microsoft Corporation, MS General Packet Classifier)

0xB60CC000 C:\WINDOWS\system32\DRIVERS\netbios.sys 36864 bytes (Microsoft Corporation, NetBIOS interface driver)

0x9A281000 C:\WINDOWS\System32\Drivers\Normandy.SYS 36864 bytes (RKU Driver)

0xBA148000 C:\WINDOWS\system32\DRIVERS\nvnetbus.sys 36864 bytes (NVIDIA Corporation, NVIDIA Networking Bus Driver.)

0xBA2B8000 C:\WINDOWS\system32\DRIVERS\processr.sys 36864 bytes (Microsoft Corporation, Processor Device Driver)

0xBA118000 PxHelp20.sys 36864 bytes (Sonic Solutions, Px Engine Device Driver for Windows 2000/XP)

0xB8778000 C:\WINDOWS\System32\Drivers\Modem.SYS 32768 bytes (Microsoft Corporation, Modem Device Driver)

0xB887E000 C:\WINDOWS\System32\Drivers\Npfs.SYS 32768 bytes (Microsoft Corporation, NPFS Driver)

0xBA408000 C:\WINDOWS\system32\DRIVERS\tifsfilt.sys 32768 bytes (Acronis, Acronis True Image File System Filter)

0xB8780000 C:\WINDOWS\system32\DRIVERS\usbehci.sys 32768 bytes (Microsoft Corporation, EHCI eUSB Miniport Driver)

0xBA418000 C:\WINDOWS\System32\DLA\DLABMFSM.SYS 28672 bytes (Roxio, Drive Letter Access Component)

0xB886E000 C:\WINDOWS\System32\DLA\DLABOIOM.SYS 28672 bytes (Roxio, Drive Letter Access Component)

0xBA328000 C:\WINDOWS\system32\DRIVERS\PCIIDEX.SYS 28672 bytes (Microsoft Corporation, PCI IDE Bus Driver Extension)

0xBA390000 C:\WINDOWS\System32\Drivers\DLARTL_M.SYS 24576 bytes (Roxio, Shared Driver Component)

0xB8798000 C:\WINDOWS\system32\DRIVERS\kbdclass.sys 24576 bytes (Microsoft Corporation, Keyboard Class Driver)

0xB8790000 C:\WINDOWS\system32\DRIVERS\mouclass.sys 24576 bytes (Microsoft Corporation, Mouse Class Driver)

0xBA498000 C:\WINDOWS\system32\DRIVERS\ssmdrv.sys 24576 bytes (Avira GmbH, AVIRA SnapShot Driver)

0xBA398000 C:\WINDOWS\System32\drivers\vga.sys 24576 bytes (Microsoft Corporation, VGA/Super VGA Video Driver)

0xBA428000 C:\WINDOWS\System32\DLA\DLAOPIOM.SYS 20480 bytes (Roxio, Drive Letter Access Component)

0xB8886000 C:\WINDOWS\System32\Drivers\Msfs.SYS 20480 bytes (Microsoft Corporation, Mailslot driver)

0xBA330000 PartMgr.sys 20480 bytes (Microsoft Corporation, Partition Manager)

0xB8768000 C:\WINDOWS\system32\DRIVERS\ptilink.sys 20480 bytes (Parallel Technologies, Inc., Parallel Technologies DirectParallel IO Library)

0xB8760000 C:\WINDOWS\system32\DRIVERS\raspti.sys 20480 bytes (Microsoft Corporation, PTI DirectParallel® mini-port/call-manager driver)

0xB8770000 C:\WINDOWS\system32\DRIVERS\TDI.SYS 20480 bytes (Microsoft Corporation, TDI Wrapper)

0xB8788000 C:\WINDOWS\system32\DRIVERS\usbohci.sys 20480 bytes (Microsoft Corporation, OHCI USB Miniport Driver)

0xBA340000 C:\WINDOWS\System32\watchdog.sys 20480 bytes (Microsoft Corporation, Watchdog Driver)

0xBA584000 C:\WINDOWS\system32\DRIVERS\mssmbios.sys 16384 bytes (Microsoft Corporation, System Management BIOS Driver)

0x9D08F000 C:\WINDOWS\system32\DRIVERS\ndisuio.sys 16384 bytes (Microsoft Corporation, NDIS User mode I/O Driver)

0xBA564000 C:\WINDOWS\system32\DRIVERS\serenum.sys 16384 bytes (Microsoft Corporation, Serial Port Enumerator)

0xBA4BC000 C:\WINDOWS\system32\BOOTVID.dll 12288 bytes (Microsoft Corporation, VGA Boot Driver)

0x9DEDD000 C:\WINDOWS\System32\drivers\Dxapi.sys 12288 bytes (Microsoft Corporation, DirectX API Driver)

0xBA56C000 C:\WINDOWS\system32\DRIVERS\ndistapi.sys 12288 bytes (Microsoft Corporation, NDIS 3.0 connection wrapper driver)

0xB73A1000 C:\WINDOWS\system32\DRIVERS\rasacd.sys 12288 bytes (Microsoft Corporation, RAS Automatic Connection Driver)

0xBA644000 C:\Program Files\Avira\AntiVir Desktop\avgio.sys 8192 bytes (Avira GmbH, Avira AntiVir Support for Minifilter)

0xBA638000 C:\WINDOWS\System32\Drivers\Beep.SYS 8192 bytes (Microsoft Corporation, BEEP Driver)

0xBA5F6000 C:\WINDOWS\System32\Drivers\DLACDBHM.SYS 8192 bytes (Roxio, Shared Driver Component)

0xBA61C000 C:\WINDOWS\System32\DLA\DLAPoolM.SYS 8192 bytes (Roxio, Drive Letter Access Component)

0xBA5AC000 dmload.sys 8192 bytes (Microsoft Corp., Veritas Software., NT Disk Manager Startup Driver)

0xBA616000 C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS 8192 bytes

0xBA636000 C:\WINDOWS\System32\Drivers\Fs_Rec.SYS 8192 bytes (Microsoft Corporation, File System Recognizer Driver)

0xBA63A000 C:\WINDOWS\System32\Drivers\mnmdd.SYS 8192 bytes (Microsoft Corporation, Frame buffer simulator)

0xBA64E000 C:\WINDOWS\System32\Drivers\ParVdm.SYS 8192 bytes (Microsoft Corporation, VDM Parallel Driver)

0xBA63C000 C:\WINDOWS\System32\DRIVERS\RDPCDD.sys 8192 bytes (Microsoft Corporation, RDP Miniport)

0xBA5F8000 C:\WINDOWS\system32\DRIVERS\swenum.sys 8192 bytes (Microsoft Corporation, Plug and Play Software Device Enumerator)

0xBA61E000 C:\WINDOWS\system32\DRIVERS\USBD.SYS 8192 bytes (Microsoft Corporation, Universal Serial Bus Driver)

0xBA5AA000 viaide.sys 8192 bytes (Microsoft Corporation, Generic PCI IDE Bus Driver)

0xBA5A8000 C:\WINDOWS\system32\DRIVERS\WMILIB.SYS 8192 bytes (Microsoft Corporation, WMILIB WMI support library Dll)

0x89CB2000 C:\WINDOWS\system32\KDCOM.DLL 7040 bytes (Microsoft Corporation, Kernel Debugger HW Extension DLL)

0xBA736000 C:\WINDOWS\system32\DRIVERS\audstub.sys 4096 bytes (Microsoft Corporation, AudStub Driver)

0xA2ADD000 C:\WINDOWS\System32\DLA\DLADResM.SYS 4096 bytes (Roxio, Drive Letter Access Component)

0x9D4A0000 C:\WINDOWS\System32\drivers\dxgthk.sys 4096 bytes (Microsoft Corporation, DirectX Graphics Driver Thunk)

0xBA69E000 C:\WINDOWS\System32\Drivers\Null.SYS 4096 bytes (Microsoft Corporation, NULL Driver)

0xBA670000 pciide.sys 4096 bytes (Microsoft Corporation, Generic PCI IDE Bus Driver)

!!!!!!!!!!!Hidden driver: 0x89CFEABF ?_empty_? 1345 bytes

==============================================

>Stealth

==============================================

0xB9F0B000 WARNING: suspicious driver modification [atapi.sys::0x89CFEABF]

Link to post
Share on other sites

You need to fix the mbr from recovery console.

In case something should go wrong you need to make sure that no important data can be lost.

Please make backups of important data on your computer.

When that's done please proceed with the following.

------------------------------------------------------------------------

You might want to print out these instructions as you won't have access to them booting from the windows CD.

Note! Please read through all the instructions and ask any questions needed before you begin with the steps below.

--------------------------------------------------------------------------

Step 1.

Fixmbr:

  1. Insert the Windows XP startup disk into the floppy disk drive, or insert the Windows XP CD-ROM into the CD-ROM drive, and then restart the computer.
    Note:Click to select any options that are required to start the computer from the CD-ROM drive if you are prompted to do so.
  2. When the "Welcome to Setup" screen appears, press R to start the Recovery Console.
    Note:If you have a dual-boot or multiple-boot computer, select the installation that you want to access from the Recovery Console.
  3. When you are prompted to do so, type the Administrator password. If the administrator password is blank, just press ENTER.
  4. At the Recovery Console command prompt, type the following then press Enter:

    fixmbr


  5. Remove the Windows XP CD-ROM from the CD-ROM drive.
  6. Type exit and press Enter to restart the computer.

When the computer has booted up again login and proceed with the following

Step 2.

MBRCheck:

Double-click on MBRCheck to run it and paste the content of the resulting log in your reply.

Step 3.

Things I would like to see in your reply:

  • The content of the log from MBRCheck in step 2.

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.

Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.